Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

2.3 The Vigenère Cipher

A variation of the shift cipher was invented back in the sixteenth century. It is often attributed to Vigenère, though Vigenère’s encryption methods were more sophisticated. Well into the twentieth century, this cryptosystem was thought by many to be secure, though Babbage and Kasiski had shown how to attack it during the nineteenth century. In the 1920s, Friedman developed additional methods for breaking this and related ciphers.

The key for the encryption is a vector, chosen as follows. First choose a key length, for example, 6. Then choose a vector of this size whose entries are integers from 0 to 25, for example $k = (21, 4, 2, 19, 14, 17)$ $k = (21, 4, 2, 19, 14, 17)$ . Often the key corresponds to a word that is easily remembered. In our case, the word is vector. The security of the system depends on the fact that neither the keyword nor its length is known.

To encrypt the message using the $k$ $k$ in our example, we take first the letter of the plaintext and shift by 21. Then shift the second letter by 4, the third by 2, and so on. Once we get to the end of the key, we start back at its first entry, so the seventh letter is shifted by 21, the eighth letter by 4, etc. Here is a diagram of the encryption process.

\begin{matrix} (plaintext) \\ (key) \\ (ciphertext) \end{matrix} \begin{array}{cccccccccccccccc} h & e & r & e & i & s & h & o & w & i & t & w & o & r & k & s \\ 21 & 4 & 2 & 19 & 14 & 17 & 21 & 4 & 2 & 19 & 14 & 17 & 21 & 4 & 2 & 19 \\ C & I & T & X & W & J & C & S & Y & B & H & N & J & V & M & L \end{array}

$\begin{matrix} (plaintext) \\ (key) \\ (ciphertext) \end{matrix} \begin{array}{cccccccccccccccc} h & e & r & e & i & s & h & o & w & i & t & w & o & r & k & s \\ 21 & 4 & 2 & 19 & 14 & 17 & 21 & 4 & 2 & 19 & 14 & 17 & 21 & 4 & 2 & 19 \\ C & I & T & X & W & J & C & S & Y & B & H & N & J & V & M & L \end{array}$

A known plaintext attack will succeed if enough characters are known since the key is simply obtained by subtracting the plaintext from the ciphertext mod 26. A chosen plaintext attack using the plaintext $a a a a a \dots$ $a a a a a \dots$ will yield the key immediately, while a chosen ciphertext attack with $A A A A A \dots$ $A A A A A \dots$ yields the negative of the key. But suppose you have only the ciphertext. It was long thought that the method was secure against a ciphertext-only attack. However, it is easy to find the key in this case, too.

The cryptanalysis uses the fact that in most English texts the frequencies of letters are not equal. For example, $e$ $e$ occurs much more frequently than $x$ $x$ . These frequencies have been tabulated in [Beker-Piper] and are provided in Table 2.1.

An illustration shows frequencies of letters in English.

Table 2.1 Full Alternative Text

Of course, variations can occur, though usually it takes a certain amount of effort to produce them. There is a book Gadsby by Ernest Vincent Wright that does not contain the letter $e$ $e$ . Even more impressive is the book La Disparition by George Perec, written in French, which also does not have a single $e$ $e$ (not only are there the usual problems with verbs, etc., but almost all feminine nouns and adjectives must be avoided). There is an English translation by Gilbert Adair, A Void, which also does not contain $e$ $e$ . But generally we can assume that the above gives a rough estimate of what usually happens, as long as we have several hundred characters of text.

If we had a simple shift cipher, then the letter $e$ $e$ , for example, would always appear as a certain ciphertext letter, which would then have the same frequency as that of $e$ $e$ in the original text. Therefore, a frequency analysis would probably reveal the key. However, in the preceding example of a Vigenère cipher, the letter $e$ $e$ appears as both $I$ $I$ and $X$ $X$ . If we had used a longer plaintext, $e$ $e$ would probably have been encrypted as each of $Z$ $Z$ , $I$ $I$ , $G$ $G$ , $X$ $X$ , $S$ $S$ , and $V$ $V$ , corresponding to the shifts 21, 4, 2, 19, 14, 17. But the occurrences of $Z$ $Z$ in a ciphertext might not come only from $e$ $e$ . The letter $v$ $v$ is also encrypted to $Z$ $Z$ when its position in the text is such that it is shifted by 4. Similarly, $x$ $x$ , $g$ $g$ , $l$ $l$ , and $i$ $i$ can contribute $Z$ $Z$ to the ciphertext, so the frequency of $Z$ $Z$ is a combination of that of $e$ $e$ , $v$ $v$ , $x$ $x$ , $g$ $g$ , $l$ $l$ , and $i$ $i$ from the plaintext. Therefore, it appears to be much more difficult to deduce anything from a frequency count. In fact, the frequency counts are usually smoothed out and are much closer to 1/26 for each letter of ciphertext. At least, they should be much closer than the original distribution for English letters.

Here is a more substantial example. This example is also treated in Example 4 in the Computer Appendices. The ciphertext is the following:

VVHQWVVRHMUSGJGTHKIHTSSEJCHLSFCBGVWCRLRYQTFSVGAHW KCUHWAUGLQHNSLRLJSHBLTSPISPRDXLJSVEEGHLQWKASSKUWE PWQTWVSPGOELKCQYFNSVWLJSNIQKGNRGYBWLWGOVIOKHKAZKQ KXZGYHCECMEIUJOQKWFWVEFQHKIJRCLRLKBIENQFRJLJSDHGR HLSFQTWLAUQRHWDMWLGUSGIKKFLRYVCWVSPGPMLKASSJVOQXE GGVEYGGZMLJCXXLJSVPAIVWIKVRDRYGFRJLJSLVEGGVEYGGEI APUUISFPBTGNWWMUCZRVTWGLRWUGUMNCZVILE

The frequencies are as follows:

A	B	C	D	E	F	G	H	I	J	K	L	M
8	5	12	4	15	10	27	16	13	14	17	25	7
N	O	P	Q	R	S	T	U	V	W	X	Y	Z
7	5	9	14	17	24	8	12	22	22	5	8	5

Note that there is no letter whose frequency is significantly larger than the others. As discussed previously, this is because $e$ $e$ , for example, gets spread among several letters during the encryption process.

How do we decrypt the message? There are two steps: finding the key length and finding the key. In the following, we’ll first show how to find the key length and then give one way to find the key. After an explanation of why the method for finding the key works, we give an alternative way to find the key.

2.3.1 Finding the Key Length

Write the ciphertext on a long strip of paper, and again on another long strip. Put one strip above the other, but displaced by a certain number of places (the potential key length). For example, for a displacement of two we have the following:

\dots

$\dots$

\dots

$\dots$

Mark a $*$ $*$ each time a letter and the one below it are the same, and count the total number of coincidences. In the text just listed, we have two coincidences so far. If we had continued for the entire ciphertext, we would have counted 14 of them. If we do this for different displacements, we obtain the following data:

displacement:	1	2	3	4	5	6
coincidences:	14	14	16	14	24	12

We have the most coincidences for a shift of 5. As we explain later, this is the best guess for the length of the key. This method works very quickly, even without a computer, and usually yields the key length.

2.3.2 Finding the Key: First Method

Now suppose we have determined the key length to be 5, as in our example. Look at the 1st, 6th, 11th, ... letters and see which letter occurs most frequently. We obtain

A	B	C	D	E	F	G	H	I	J	K	L	M
0	0	7	1	1	2	9	0	1	8	8	0	0
N	O	P	Q	R	S	T	U	V	W	X	Y	Z
3	0	4	5	2	0	3	6	5	1	0	1	0

The most frequent is $G$ $G$ , though $J, K, C$ $J, K, C$ are close behind. However, $J = e$ $J = e$ would mean a shift of 5, hence $C = x$ $C = x$ . But this would yield an unusually high frequency for $x$ $x$ in the plaintext. Similarly, $K = e$ $K = e$ would mean $P = j$ $P = j$ and $Q = k$ $Q = k$ , both of which have too high frequencies. Finally, $C = e$ $C = e$ would require $V = x$ $V = x$ , which is unlikely to be the case. Therefore, we decide that $G = e$ $G = e$ and the first element of the key is $2 = c$ $2 = c$ .

We now look at the 2nd, 7th, 12th, ... letters. We find that $G$ $G$ occurs 10 times and $S$ $S$ occurs 12 times, and the other letters are far behind. If $G = e$ $G = e$ , then $S = q$ $S = q$ , which should not occur 12 times in the plaintext. Therefore, $S = e$ $S = e$ and the second element of the key is $14 = o$ $14 = o$ .

Now look at the 3rd, 8th, 13th, ... letters. The frequencies are

A	B	C	D	E	F	G	H	I	J	K	L	M
0	1	0	3	3	1	3	5	1	0	4	10	0
N	O	P	Q	R	S	T	U	V	W	X	Y	Z
2	1	2	3	5	3	0	2	8	7	1	0	1

The initial guess that $L = e$ $L = e$ runs into problems; for example, $R = k$ $R = k$ and $E = x$ $E = x$ have too high frequency and $A = t$ $A = t$ has too low. Similarly, $V = e$ $V = e$ and $W = e$ $W = e$ do not seem likely. The best choice is $H = e$ $H = e$ and therefore the third key element is $3 = d$ $3 = d$ .

The 4th, 9th, 14th, ... letters yield $4 = e$ $4 = e$ as the fourth element of the key. Finally, the 5th, 10th, 15th, ... letters yield $18 = s$ $18 = s$ as the final key element. Our guess for the key is therefore

{2, 14, 3, 4, 18} = {c, o, d, e, s} .

${2, 14, 3, 4, 18} = {c, o, d, e, s} .$

As we saw in the case of the 3rd, 8th, 13th, ... letters (this also happened in the 5th, 10th, 15th, ... case), if we take every fifth letter we have a much smaller sample of letters on which we are doing a frequency count. Another letter can overtake $e$ $e$ in a short sample. But it is probable that most of the high-frequency letters appear with high frequencies, and most of the low-frequency ones appear with low frequencies. As in the present case, this is usually sufficient to identify the corresponding entry in the key.

Once a potential key is found, test it by using it to decrypt. It should be easy to tell whether it is correct.

In our example, the key is conjectured to be $(2, 14, 3, 4, 18)$ $(2, 14, 3, 4, 18)$ . If we decrypt the ciphertext using this key, we obtain

themethodusedforthepreparationandreadingofcodemessagesis

simpleintheextremeandatthesametimeimpossibleoftranslatio

nunlessthekeyisknowntheeasewithwhichthekeymaybechangedis

anotherpointinfavoroftheadoptionofthiscodebythosedesirin

gtotransmitimportantmessageswithouttheslightestdangeroft

heirmessagesbeingreadbypoliticalorbusinessrivalsetc

This passage is taken from a short article in Scientific American, Supplement LXXXIII (January 27, 1917), page 61. A short explanation of the Vigenère cipher is given, and the preceding passage expresses an opinion as to its security.

Before proceeding to a second method for finding the key, we give an explanation of why the procedure given earlier finds the key length. In order to avoid confusion, we note that when we use the word “shift” for a letter, we are referring to what happens during the Vigenère encryption process.

We also will be shifting elements in vectors. However, when we slide one strip of paper to the right or left relative to the other strip, we use the word “displacement.”

Put the frequencies of English letters into a vector:

A_{0} = (.082, .015, .028, \dots, .020, .001) .

$A_{0} = (.082, .015, .028, \dots, .020, .001) .$

Let $A_{i}$ $A_{i}$ be the result of shifting $A_{0}$ $A_{0}$ by $i$ $i$ spaces to the right. For example,

A_{2} = (.020, .001, .082, .015, \dots) .

$A_{2} = (.020, .001, .082, .015, \dots) .$

The dot product of $A_{0}$ $A_{0}$ with itself is

A_{0} \cdot A_{0} = {(.082)}^{2} + {(.015)}^{2} + \dots = .066.

$A_{0} \cdot A_{0} = {(.082)}^{2} + {(.015)}^{2} + \dots = .066.$

Of course, $A_{i} \cdot A_{i}$ $A_{i} \cdot A_{i}$ is also equal to .066 since we get the same sum of products, starting with a different term. However, the dot products of $A_{i} \cdot A_{j}$ $A_{i} \cdot A_{j}$ are much lower when $i \neq j$ $i \neq j$ , ranging from .031 to .045:

$\| i - j \|$ $\| i - j \|$	0	1	2	3	4	5	6
$A_{i} \cdot A_{j}$ $A_{i} \cdot A_{j}$	.066	.039	.032	.034	.044	.033	.036
	7	8	9	10	11	12	13
	.039	.034	.034	.038	.045	.039	.042

The dot product depends only on $| i - j |$ $| i - j |$ . This can be seen as follows. The entries in the vectors are the same as those in $A_{0}$ $A_{0}$ , but shifted. In the dot product, the $i$ $i$ th entry of $A_{0}$ $A_{0}$ is multiplied by the $j$ $j$ th entry, the $(i + 1)$ $(i + 1)$ st times the $(j + 1)$ $(j + 1)$ st, etc. So each element is multiplied by the element $j - i$ $j - i$ positions removed from it. Therefore, the dot product depends only on the difference $i - j$ $i - j$ . However, by reversing the roles of $i$ $i$ and $j$ $j$ , and noting that $A_{i} \cdot A_{j} = A_{j} \cdot A_{i}$ $A_{i} \cdot A_{j} = A_{j} \cdot A_{i}$ , we see that $i - j$ $i - j$ and $j - i$ $j - i$ give the same dot products, so the dot product only depends on $| i - j |$ $| i - j |$ . In the preceding table, we only needed to compute up to $| i - j | = 13$ $| i - j | = 13$ . For example, $i - j = 17$ $i - j = 17$ corresponds to a shift by 17 in one direction, or 9 in the other direction, so $i - j = 9$ $i - j = 9$ will give the same dot product.

The reason $A_{0} \cdot A_{0}$ $A_{0} \cdot A_{0}$ is higher than the other dot products is that the large numbers in the vectors are paired with large numbers and the small ones are paired with small. In the other dot products, the large numbers are paired somewhat randomly with other numbers. This lessens their effect. For another reason that $A_{0} \cdot A_{0}$ $A_{0} \cdot A_{0}$ is higher than the other dot products, see Exercise 23.

Let’s assume that the distribution of letters in the plaintext closely matches that of English, as expressed by the vector $A_{0}$ $A_{0}$ above. Look at a random letter in the top strip of ciphertext. It corresponds to a random letter of English shifted by some amount $i$ $i$ (corresponding to an element of the key). The letter below it corresponds to a random letter of English shifted by some amount $j$ $j$ .

For concreteness, let’s suppose that $i = 0$ $i = 0$ and $j = 2$ $j = 2$ . The probability that the letter in the 50th position, for example, is $A$ $A$ is given by the first entry in $A_{0}$ $A_{0}$ , namely .082. The letter directly below, on the second strip, has been shifted from the original plaintext by $j = 2$ $j = 2$ positions. If this ciphertext letter is $A$ $A$ , then the corresponding plaintext letter was $y$ $y$ , which occurs in the plaintext with probability .020. Note that .020 is the first entry of the vector $A_{2}$ $A_{2}$ . The probability that the letter in the 50th position on the first strip and the letter directly below it are both the letter $A$ $A$ is $(.082) (.020)$ $(.082) (.020)$ . Similarly, the probability that both letters are $B$ $B$ is $(.015) (.001)$ $(.015) (.001)$ . Working all the way through $Z$ $Z$ , we see that the probability that the two letters are the same is

(.082) (.020) + (.015) (.001) + \dots + (.001) (.001) = A_{0} \cdot A_{2} .

$(.082) (.020) + (.015) (.001) + \dots + (.001) (.001) = A_{0} \cdot A_{2} .$

In general, when the encryption shifts are $i$ $i$ and $j$ $j$ , the probability that the two letters are the same is $A_{i} \cdot A_{j}$ $A_{i} \cdot A_{j}$ . When $i \neq j$ $i \neq j$ , this is approximately $0.038$ $0.038$ , but if $i = j$ $i = j$ , then the dot product is $0.066$ $0.066$ .

We are in the situation where $i = j$ $i = j$ exactly when the letters lying one above the other have been shifted by the same amount during the encryption process, namely when the top strip is displaced by an amount equal to the key length (or a multiple of the key length). Therefore we expect more coincidences in this case.

For a displacement of 5 in the preceding ciphertext, we had 326 comparisons and 24 coincidences. By the reasoning just given, we should expect approximately $326 \times 0.066 = 21.5$ $326 \times 0.066 = 21.5$ coincidences, which is close to the actual value.

2.3.3 Finding the Key: Second Method

Using the preceding ideas, we give another method for determining the key. It seems to work somewhat better than the first method on short samples, though it requires a little more calculation.

We’ll continue to work with the preceding example. To find the first element of the key, count the occurrences of the letters in the 1st, 6th, 11th, ... positions, as before, and put them in a vector:

V = (0, 0, 7, 1, 1, 2, 9, 0, 1, 8, 8, 0, 0, 3, 0, 4, 5, 2, 0, 3, 6, 5, 1, 0, 1, 0)

$V = (0, 0, 7, 1, 1, 2, 9, 0, 1, 8, 8, 0, 0, 3, 0, 4, 5, 2, 0, 3, 6, 5, 1, 0, 1, 0)$

(the first entry gives the number of occurrences of $A$ $A$ , the second gives the number of occurrences of $B$ $B$ , etc.). If we divide by 67, which is the total number of letters counted, we obtain a vector

W = (0, 0, .1045, .0149, .0149, .0299, \dots, .0149, 0) .

$W = (0, 0, .1045, .0149, .0149, .0299, \dots, .0149, 0) .$

Let’s think about where this vector comes from. Since we know the key length is 5, the 1st, 6th, 11th, ... letters in the ciphertext were all shifted by the same amount (as we’ll see shortly, they were all shifted by 2). Therefore, they represent a random sample of English letters, all shifted by the same amount. Their frequencies, which are given by the vector $W,$ $W,$ should approximate the vector $A_{i},$ $A_{i},$ where $i$ $i$ is the shift caused by the first element of the key.

The problem now is to determine $i$ $i$ . Recall that $A_{i} \cdot A_{j}$ $A_{i} \cdot A_{j}$ is largest when $i = j$ $i = j$ , and that W approximates $A_{i}$ $A_{i}$ . If we compute $W \cdot A_{j}$ $W \cdot A_{j}$ for $0 \leq j \leq 25$ $0 \leq j \leq 25$ , the maximum value should occur when $j = i$ $j = i$ . Here are the dot products:

\begin{array}{rcl} .0250, .0391, .0713, .0388, .0275, .0380, .0512, .0301, .0325, \\ .0430, .0338, .0299, .0343, .0446, .0356, .0402, .0434, .0502, \\ .0392, .0296, .0326, .0392, .0366, .0316, .0488, .0349 \end{array}

$\begin{array}{rcl} .0250, .0391, .0713, .0388, .0275, .0380, .0512, .0301, .0325, \\ .0430, .0338, .0299, .0343, .0446, .0356, .0402, .0434, .0502, \\ .0392, .0296, .0326, .0392, .0366, .0316, .0488, .0349 \end{array}$

The largest value is the third, namely .0713, which equals $W \cdot A_{2}$ $W \cdot A_{2}$ . Therefore, we guess that the first shift is 2, which corresponds to the key letter $c$ $c$ .

Let’s use the same method to find the third element of the key. We calculate a new vector W, using the frequencies for the 3rd, 8th, 13th, ... letters that we tabulated previously:

W = (0, .0152, 0, .0454, .0454, .0152, \dots, 0, .0152) .

$W = (0, .0152, 0, .0454, .0454, .0152, \dots, 0, .0152) .$

The dot products $W \cdot A_{i}$ $W \cdot A_{i}$ for $0 \leq i \leq 25$ $0 \leq i \leq 25$ are

\begin{array}{rcl} .0372, .0267, .0395, .0624, .04741, .0279, .0319, .0504, .0378, \\ .0351, .0367, .0395, .0264, .0415, .0427, .0362, .0322, .0457, \\ .0526, .0397, .0322, .0299, .0364, .0372, .0352, .0406 \end{array}

$\begin{array}{rcl} .0372, .0267, .0395, .0624, .04741, .0279, .0319, .0504, .0378, \\ .0351, .0367, .0395, .0264, .0415, .0427, .0362, .0322, .0457, \\ .0526, .0397, .0322, .0299, .0364, .0372, .0352, .0406 \end{array}$

The largest of these values is the fourth, namely .0624, which equals $W \cdot A_{3}$ $W \cdot A_{3}$ . Therefore, the best guess is that the first shift is 3, which corresponds to the key letter $d$ $d$ . The other three elements of the key can be found similarly, again yielding $c, o, d, e, s$ $c, o, d, e, s$ as the key.

Notice that the largest dot product was significantly larger than the others in both cases, so we didn’t have to make several guesses to find the correct one. In this way, the present method is superior to the first method presented; however, the first method is much easier to do by hand.

Why is the present method more accurate than the first one? To obtain the largest dot product, several of the larger values in W had to match with the larger values in an $A_{i} .$ $A_{i} .$ In the earlier method, we tried to match only the $e$ $e$ , then looked at whether the choices for other letters were reasonable. The present method does this all in one step.

To summarize, here is the method for finding the key. Assume we already have determined that the key length is $n$ $n$ .

For $i = 1$ $i = 1$ to $n$ $n$ , do the following:

Compute the frequencies of the letters in positions $i$ $i$ mod $n$ $n$ , and form the vector W.
For $j = 0$ $j = 0$ to $25$ $25$ , compute $W \cdot A_{j}$ $W \cdot A_{j}$ .
Let $k_{i} = j_{0}$ $k_{i} = j_{0}$ give the maximum value of $W \cdot A_{j}$ $W \cdot A_{j}$ .

The key is probably ${k_{1}, \dots, k_{n}}$ ${k_{1}, \dots, k_{n}}$ .

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for
2.3 The Vigenère CipherThe Vigenère Cipher

2.3 The Vigenère Cipher

Table 2.1 Frequencies of Letters in English

2.3.1 Finding the Key Length

2.3.2 Finding the Key: First Method

2.3.3 Finding the Key: Second Method

Table of Contents for 2.3 The Vigen&#232;re CipherThe Vigenère Cipher

Create new playlist

Sign In

Sign Up

Table of Contents for
2.3 The Vigenère CipherThe Vigenère Cipher