# Cryptanalysis

**Cryptanalysis**is the study of analyzing information systems in order to study the hidden aspects of the systems. Cryptanalysis is used to breach cryptographic security systems and gain access to the contents of encrypted messages, even if the cryptographic key is unknown.

In addition to mathematical analysis of cryptographic algorithms, cryptanalysis includes the study of side-channel attacks that do not target weaknesses in the cryptographic algorithms themselves, but instead exploit weaknesses in their implementation.

Even though the goal has been the same, the methods and techniques of cryptanalysis have changed drastically through the history of cryptography, adapting to increasing cryptographic complexity, ranging from the pen-and-paper methods of the past, through machines like the British Bombes and Colossus computers at Bletchley Park in World War II, to the mathematically advanced computerized schemes of the present. Methods for breaking modern cryptosystems often involve solving carefully constructed problems in pure mathematics, the best-known being integer factorization.

## Overview

Given some encrypted data, the goal of the*cryptanalyst*is to gain as much information as possible about the original, unencrypted data.

### Amount of information available to the attacker

Attacks can be classified based on what type of information the attacker has available. As a basic starting point it is normally assumed that, for the purposes of analysis, the general algorithm is known; this is Shannon's Maxim "the enemy knows the system" — in its turn, equivalent to Kerckhoffs' principle. This is a reasonable assumption in practice — throughout history, there are countless examples of secret algorithms falling into wider knowledge, variously through espionage, betrayal and reverse engineering. :*Ciphertext-only*: the cryptanalyst has access only to a collection of ciphertexts or codetexts.*Known-plaintext*: the attacker has a set of ciphertexts to which he knows the corresponding plaintext.*Chosen-plaintext*: the attacker can obtain the ciphertexts corresponding to an arbitrary set of plaintexts of his own choosing.*Adaptive chosen-plaintext*: like a chosen-plaintext attack, except the attacker can choose subsequent plaintexts based on information learned from previous encryptions. Similarly*Adaptive chosen ciphertext attack*.*Related-key attack*: Like a chosen-plaintext attack, except the attacker can obtain ciphertexts encrypted under two different keys. The keys are unknown, but the relationship between them is known; for example, two keys that differ in the one bit.### Computational resources required

- Time — the number of
*computation steps*which must be performed. - Memory — the amount of
*storage*required to perform the attack. - Data — the quantity and type of
*plaintexts and ciphertexts*required for a particular approach.

*order of magnitude*of their attacks' difficulty, saying, for example, "SHA-1 collisions now 2

^{52}."

Bruce Schneier notes that even computationally impractical attacks can be considered breaks: "Breaking a cipher simply means finding a weakness in the cipher that can be exploited with a complexity less than brute force. Never mind that brute-force might require 2

^{128}encryptions; an attack requiring 2

^{110}encryptions would be considered a break...simply put, a break can just be a certificational weakness: evidence that the cipher does not perform as advertised."

### Partial breaks

The results of cryptanalysis can also vary in usefulness. For example, cryptographer Lars Knudsen classified various types of attack on block ciphers according to the amount and quality of secret information that was discovered:*Total break*— the attacker deduces the secret key.*Global deduction*— the attacker discovers a functionally equivalent algorithm for encryption and decryption, but without learning the key.*Instance deduction*— the attacker discovers additional plaintexts not previously known.*Information deduction*— the attacker gains some Shannon information about plaintexts not previously known.*Distinguishing algorithm*— the attacker can distinguish the cipher from a random permutation.

In academic cryptography, a

*weakness*or a

*break*in a scheme is usually defined quite conservatively: it might require impractical amounts of time, memory, or known plaintexts. It also might require the attacker be able to do things many real-world attackers can't: for example, the attacker may need to choose particular plaintexts to be encrypted or even to ask for plaintexts to be encrypted using several keys related to the secret key. Furthermore, it might only reveal a small amount of information, enough to prove the cryptosystem imperfect but too little to be useful to real-world attackers. Finally, an attack might only apply to a weakened version of cryptographic tools, like a reduced-round block cipher, as a step towards breaking of the full system.

## History

Cryptanalysis has coevolved together with cryptography, and the contest can be traced through the history of cryptography—new ciphers being designed to replace old broken designs, and new cryptanalytic techniques invented to crack the improved schemes. In practice, they are viewed as two sides of the same coin: secure cryptography requires design against possible cryptanalysis.### Classical ciphers

Although the actual word "*cryptanalysis*" is relatively recent, methods for breaking codes and ciphers are much older. David Kahn notes in

*The Codebreakers*that Arab scholars were the first people to systematically document cryptanalytic methods.

The first known recorded explanation of cryptanalysis was given by Al-Kindi, a 9th-century Arab polymath, in

*Risalah fi Istikhraj al-Mu'amma*. This treatise contains the first description of the method of frequency analysis. Al-Kindi is thus regarded as the first codebreaker in history. His breakthrough work was influenced by Al-Khalil, who wrote the

*Book of Cryptographic Messages*, which contains the first use of permutations and combinations to list all possible Arabic words with and without vowels.

Frequency analysis is the basic tool for breaking most classical ciphers. In natural languages, certain letters of the alphabet appear more often than others; in English, "E" is likely to be the most common letter in any sample of plaintext. Similarly, the digraph "TH" is the most likely pair of letters in English, and so on. Frequency analysis relies on a cipher failing to hide these statistics. For example, in a simple substitution cipher, the most frequent letter in the ciphertext would be a likely candidate for "E". Frequency analysis of such a cipher is therefore relatively easy, provided that the ciphertext is long enough to give a reasonably representative count of the letters of the alphabet that it contains.

Al-Kindi's invention of the frequency analysis technique for breaking monoalphabetic substitution ciphers was the most significant cryptanalytic advance until World War II. Al-Kindi's

*Risalah fi Istikhraj al-Mu'amma*described the first cryptanalytic techniques, including some for polyalphabetic ciphers, cipher classification, Arabic phonetics and syntax, and most importantly, gave the first descriptions on frequency analysis. He also covered methods of encipherments, cryptanalysis of certain encipherments, and statistical analysis of letters and letter combinations in Arabic. An important contribution of Ibn Adlan was on sample size for use of frequency analysis.

In Europe, Italian scholar Giambattista della Porta was the author of a seminal work on cryptanalysis,

*De Furtivis Literarum Notis*.

Successful cryptanalysis has undoubtedly influenced history; the ability to read the presumed-secret thoughts and plans of others can be a decisive advantage. For example, in England in 1587, Mary, Queen of Scots was tried and executed for treason as a result of her involvement in three plots to assassinate Elizabeth I of England. The plans came to light after her coded correspondence with fellow conspirators was deciphered by Thomas Phelippes.

In Europe during the 15th and 16th centuries, the idea of a polyalphabetic substitution cipher was developed, among others by the French diplomat Blaise de Vigenère. For some three centuries, the Vigenère cipher, which uses a repeating key to select different encryption alphabets in rotation, was considered to be completely secure. Nevertheless, Charles Babbage and later, independently, Friedrich Kasiski succeeded in breaking this cipher. During World War I, inventors in several countries developed rotor cipher machines such as Arthur Scherbius' Enigma, in an attempt to minimise the repetition that had been exploited to break the Vigenère system.

### Ciphers from World War I and World War II

In World War I, the breaking of the Zimmermann Telegram was instrumental in bringing the United States into the war. In World War II, the Allies benefitted enormously from their joint success cryptanalysis of the German ciphers — including the Enigma machine and the Lorenz cipher — and Japanese ciphers, particularly 'Purple' and JN-25. 'Ultra' intelligence has been credited with everything between shortening the end of the European war by up to two years, to determining the eventual result. The war in the Pacific was similarly helped by 'Magic' intelligence.Cryptanalysis of enemy messages played a significant part in the Allied victory in World War II. F. W. Winterbotham, quoted the western Supreme Allied Commander, Dwight D. Eisenhower, at the war's end as describing Ultra intelligence as having been "decisive" to Allied victory. Sir Harry Hinsley, official historian of British Intelligence in World War II, made a similar assessment about Ultra, saying that it shortened the war "by not less than two years and probably by four years"; moreover, he said that in the absence of Ultra, it is uncertain how the war would have ended.

In practice, frequency analysis relies as much on linguistic knowledge as it does on statistics, but as ciphers became more complex, mathematics became more important in cryptanalysis. This change was particularly evident before and during World War II, where efforts to crack Axis ciphers required new levels of mathematical sophistication. Moreover, automation was first applied to cryptanalysis in that era with the Polish Bomba device, the British Bombe, the use of punched card equipment, and in the Colossus computers — the first electronic digital computers to be controlled by a program.

#### Indicator

With reciprocal machine ciphers such as the Lorenz cipher and the Enigma machine used by Nazi Germany during World War II, each message had its own key. Usually, the transmitting operator informed the receiving operator of this message key by transmitting some plaintext and/or ciphertext before the enciphered message. This is termed the*indicator*, as it indicates to the receiving operator how to set his machine to decipher the message.

Poorly designed and implemented indicator systems allowed first Polish cryptographers and then the British cryptographers at Bletchley Park to break the Enigma cipher system. Similar poor indicator systems allowed the British to identify

*depths*that led to the diagnosis of the Lorenz SZ40/42 cipher system, and the comprehensive breaking of its messages without the cryptanalysts seeing the cipher machine.

#### Depth

Sending two or more messages with the same key is an insecure process. To a cryptanalyst the messages are then said to be*"in depth."*This may be detected by the messages having the same

*indicator*by which the sending operator informs the receiving operator about the key generator initial settings for the message.

Generally, the cryptanalyst may benefit from lining up identical enciphering operations among a set of messages. For example, the Vernam cipher enciphers by bit-for-bit combining plaintext with a long key using the "exclusive or" operator, which is also known as "modulo-2 addition" :

Deciphering combines the same key bits with the ciphertext to reconstruct the plaintext:

When two such ciphertexts are aligned in depth, combining them eliminates the common key, leaving just a combination of the two plaintexts:

The individual plaintexts can then be worked out linguistically by trying

*probable words*, also known as

*"cribs,"*at various locations; a correct guess, when combined with the merged plaintext stream, produces intelligible text from the other plaintext component:

The recovered fragment of the second plaintext can often be extended in one or both directions, and the extra characters can be combined with the merged plaintext stream to extend the first plaintext. Working back and forth between the two plaintexts, using the intelligibility criterion to check guesses, the analyst may recover much or all of the original plaintexts. When a recovered plaintext is then combined with its ciphertext, the key is revealed:

Knowledge of a key of course allows the analyst to read other messages encrypted with the same key, and knowledge of a set of related keys may allow cryptanalysts to diagnose the system used for constructing them.

### Development of modern cryptography

Governments have long recognized the potential benefits of cryptanalysis for intelligence, both military and diplomatic, and established dedicated organizations devoted to breaking the codes and ciphers of other nations, for example, GCHQ and the NSA, organizations which are still very active today.replicated the action of several Enigma machines wired together. Each of the rapidly rotating drums, pictured above in a Bletchley Park museum mockup, simulated the action of an Enigma rotor.

Even though computation was used to great effect in the cryptanalysis of the Lorenz cipher and other systems during World War II, it also made possible new methods of cryptography orders of magnitude more complex than ever before. Taken as a whole, modern cryptography has become much more impervious to cryptanalysis than the pen-and-paper systems of the past, and now seems to have the upper hand against pure cryptanalysis. The historian David Kahn notes:

Kahn goes on to mention increased opportunities for interception, bugging, side channel attacks, and quantum computers as replacements for the traditional means of cryptanalysis. In 2010, former NSA technical director Brian Snow said that both academic and government cryptographers are "moving very slowly forward in a mature field."

However, any postmortems for cryptanalysis may be premature. While the effectiveness of cryptanalytic methods employed by intelligence agencies remains unknown, many serious attacks against both academic and practical cryptographic primitives have been published in the modern era of computer cryptography:

- The block cipher Madryga, proposed in 1984 but not widely used, was found to be susceptible to ciphertext-only attacks in 1998.
- FEAL-4, proposed as a replacement for the DES standard encryption algorithm but not widely used, was demolished by a spate of attacks from the academic community, many of which are entirely practical.
- The A5/1, A5/2, CMEA, and DECT systems used in mobile and wireless phone technology can all be broken in hours, minutes or even in real-time using widely available computing equipment.
- Brute-force keyspace search has broken some real-world ciphers and applications, including single-DES, 40-bit "export-strength" cryptography, and the DVD Content Scrambling System.
- In 2001, Wired Equivalent Privacy, a protocol used to secure Wi-Fi wireless networks, was shown to be breakable in practice because of a weakness in the RC4 cipher and aspects of the WEP design that made related-key attacks practical. WEP was later replaced by Wi-Fi Protected Access.
- In 2008, researchers conducted a proof-of-concept break of SSL using weaknesses in the MD5 hash function and certificate issuer practices that made it possible to exploit collision attacks on hash functions. The certificate issuers involved changed their practices to prevent the attack from being repeated.

In 2004, it was reported that the United States had broken Iranian ciphers. It is unknown, however, whether this was pure cryptanalysis, or whether other factors were involved.

## Symmetric ciphers

- Boomerang attack
- Brute-force attack
- Davies' attack
- Differential cryptanalysis
- Impossible differential cryptanalysis
- Improbable differential cryptanalysis
- Integral cryptanalysis
- Linear cryptanalysis
- Meet-in-the-middle attack
- Mod-n cryptanalysis
- Related-key attack
- Sandwich attack
- Slide attack
- XSL attack
## Asymmetric ciphers

Asymmetric schemes are designed around the difficulty of solving various mathematical problems. If an improved algorithm can be found to solve the problem, then the system is weakened. For example, the security of the Diffie–Hellman key exchange scheme depends on the difficulty of calculating the discrete logarithm. In 1983, Don Coppersmith found a faster way to find discrete logarithms, and thereby requiring cryptographers to use larger groups. RSA's security depends upon the difficulty of integer factorization — a breakthrough in factoring would impact the security of RSA.

In 1980, one could factor a difficult 50-digit number at an expense of 10

^{12}elementary computer operations. By 1984 the state of the art in factoring algorithms had advanced to a point where a 75-digit number could be factored in 10

^{12}operations. Advances in computing technology also meant that the operations could be performed much faster, too. Moore's law predicts that computer speeds will continue to increase. Factoring techniques may continue to do so as well, but will most likely depend on mathematical insight and creativity, neither of which has ever been successfully predictable. 150-digit numbers of the kind once used in RSA have been factored. The effort was greater than above, but was not unreasonable on fast modern computers. By the start of the 21st century, 150-digit numbers were no longer considered a large enough key size for RSA. Numbers with several hundred digits were still considered too hard to factor in 2005, though methods will probably continue to improve over time, requiring key size to keep pace or other methods such as elliptic curve cryptography to be used.

Another distinguishing feature of asymmetric schemes is that, unlike attacks on symmetric cryptosystems, any cryptanalysis has the opportunity to make use of knowledge gained from the public key.

## Attacking cryptographic hash systems

- Birthday attack
- Hash function security summary
- Rainbow table
## Side-channel attacks

- Black-bag cryptanalysis
- Man-in-the-middle attack
- Power analysis
- Replay attack
- Rubber-hose cryptanalysis
- Timing analysis
## Quantum computing applications for cryptanalysis

By using Grover's algorithm on a quantum computer, brute-force key search can be made quadratically faster. However, this could be countered by doubling the key length.

### Historic cryptanalysts

- Conel Hugh O'Donel Alexander
- Charles Babbage
- Lambros D. Callimahos
- Joan Clarke
- Alastair Denniston
- Agnes Meyer Driscoll
- Elizebeth Friedman
- William F. Friedman
- Meredith Gardner
- Friedrich Kasiski
- Al-Kindi
- Dilly Knox
- Solomon Kullback
- Marian Rejewski
- Joseph Rochefort, whose contributions affected the outcome of the Battle of Midway
- Frank Rowlett
- Abraham Sinkov
- Giovanni Soro, the Renaissance's first outstanding cryptanalyst
- John Tiltman
- Alan Turing
- William T. Tutte
- John Wallis - 17th-century English mathematician
- William Stone Weedon - worked with Fredson Bowers in World War II
- Herbert Yardley
### Citations