Shanna R. Simpson-SingletonIndependent ResearchMathematics Department: Professor Kenneth Shiskowski, Ph.D.

The History of Cryptology

March 27

2009Cryptology has a strong historical background, not only in the varying areas of linguistics, but also through the advances of number theory and computer science. We will show the progression of cryptology from the times of the Egyptians up to our modern era.

KEY WORDSCiphers, codes, cryptography, cryptology, history of cryptography, history of cryptology, number theory

INTRODUCTIONCryptology is defined as the discipline of secrecy systems while cryptography is geared more towards the use and design of these systems (Rosen, p. 260). Number theory examines the different types of numbers in addition to the properties and relationships between these numbers (Rosen, p. 1). Many cryptographers use number theory in their methods of encryption, the processes of changing plaintext (the original message) into ciphertext (the encrypted message) and decryption, the process changing cipher-text into plaintext (Rosen p. 260). The varying combinations of cryptology and number theory, in addition to advances in computer science, has allowed the world to have the ability to communicate while keeping personal secrets, large and small, from the sights of unintended eyes.

Cryptology plays a very important role in our everyday lives. We use cryptography when we utilize email. We use cryptography when we utilize our ATMs and debit cards. Cryptology plays a strong role when we make secured purchases from the internet. Cryptology also has a very important role in communicating highly classified political and military documents, launch codes, messages, etc. The list goes on. There are far too many common uses of cryptology for me to list individually, but cryptology does have a firm role in the everyday life of modern society. We will visit the most important historic events in the history of cryptology and, where applicable, show their correlation with number theory and some aspects of computer science.

ORIGINSWhen the historical aspects of cryptology are mentioned, most reminisce over the events of the World Wars. Although this was an immense time for cryptographers and cryptology, it was not the only monumental moment in history for cryptology.

Written LanguageCryptology can be traced back to about 3500 B.C.E. This was the approximate moment in history where the earliest written languages began to surface amongst the ancient civilizations of the world. Some historians hypothesize that written language was originally created as a form of cryptology by the Sumerians in Mesopotamia. Verbal messages were the primary form of communication prior to the creation of written language. As civilization progressed, the need for privacy and secrecy increased. The scholars of this era created a form of writing that could be used as a communication between multiple parties masking the actual message from transporters and other prying eyes. This method of communication was very effective since very few people were able to read during this era.

SubstitutionAs more people began to learn to read written language became more widespread, and a different form of cryptology began to surface. The substitution method of cryptology

1

dates back to approximately 2000 B.C.E. in ancient Egypt. Certain hieroglyphics that appeared on a number of stone tributes were substituted by varying other symbols as either a method of amusement or a method to confuse travelers. Substitution began to emerge on more sacred and religious tributes to add a more dramatic effect to the text. This caused the writing to seem more perplexing and extraordinary, thus supporting the notions that the ideas conveyed in the works were of a supernatural origin. (Pinock, p. 11)

It was not until roughly 1500 B.C.E. in Mesopotamia that substitution was used to maintain secrecy. A portable tablet was created as a means to encode instructions to create pottery. Cuneiform symbols were used in a technique of substitution in the text to camouflage the instructions from unintended eyes (Pinock, p. 12). Written language progressed from a symbolic representation of objects, to a representation of ideas, to a representation of individual sounds. Cryptology also progressed to mirror these changes in written languages.

SteganographyThe progression of cryptology mirrored the progressions of civilizations. There is another method of secrecy similar to cryptology referred to as steganography which is worth mentioning at this point of presentation. Steganography is the method of concealing messages, while cryptography encrypts messages. The steganography method dates back to the era of the ancient Romans and Greeks, where messages would be hidden in capsules, under tablets, and even tattooed on the scalps of slaves hidden by the hair on their heads (Pinock, p. 14). Steganography has withstood the test of time and exists to this very day. Steganography methods are often used alongside cryptography methods and have evolved in the same manner as cryptology.

NUMBER THEORYAs civilization progressed, so did the methods of cryptology. It is no surprise that it was during the era of the Greeks and Romans that number theory was introduced to cryptology. It is at this point in history that modular arithmetic began to hold a very important role in cryptology. We will begin our exploration of number theory and cryptology with private key (or symmetric) ciphers, which are ciphers that have “encryption or decryption keys that are either the same or can be easily found from each other” (Rosen, p.285).

Affine TransformationThe affine transformation is a branch of cryptology which consists of the family of ciphers that involves shift transformations. Affine transformations are generally represented using modular arithmetic as follows:

Let P be the numerical representation of the letter in plaintext.Let C be the numerical representation of the letter in ciphertext.

Let N be the number of characters in the alphabet.We now have the following encryption method:

C ≡ aP+b (mod N ) , 0 ≤C ≤(N−1),where a and b are integers with (a, N) = 1.

Koblitz, p. 56

2

The Caesar CipherAn example of an affine transformation is the Caesar cipher. It is one of the earliest known shift transformation ciphers. The Caesar cipher was created sometime between 100 B.C.E. and 44 B.C.E. The Caesar cipher begins with a method of substitution that follows.

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z0 1 2 3 4 5 6 7 8 9 10 11 1

213 14 15 1

617 18 19 2

021 22 23 2

425

Here, the plaintext is assembled in groups of 5, then converted to their numerical equivalent as shown in the table above.

We now use modular arithmetic to create the ciphertext. The Caesar cipher uses a cryptosystem called character or monographic ciphers, where “each character is changed individually to another character using substitution” (Rosen, p 261).

Using modular arithmetic we obtain the following:

Let P be the numerical representation of the letter in plaintext.Let C be the numerical representation of the letter in ciphertext.

We now have the following encryption method:C ≡ P+3 (mod 26 ) ,0≤ C ≤ 25

Rosen, p. 261

Plaintext: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Ciphertext: D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

We decipher the encrypted text as follows:

Let P be the numerical representation of the letter in plaintext.Let C be the numerical representation of the letter in ciphertext.

We now have the following decryption method:P ≡C−3 (mod 26 ) , 0 ≤C ≤25

Rosen, p. 262

FrequencyAffine transformations are very susceptible to cryptanalysis. This is due to an analytic approach of frequency. The frequency measures the occurrence of characters in the text of a language. Rosen accounts for the frequency of the English language as follows:

Letter A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Frequency

(in %)7 1 3 4 13 3 2 3 8 <1 <1 4 3 8 7 3 <1 8 6 9 3 1 1 <1 2 <1

3

We can apply this study of frequencies to a ciphertext using an affine transformation. The occurrence of the most frequent characters in plaintext will mirror in ciphertext, thus, a cryptanalyst would examine the cipher text and note the character that occurs most often. One would then compare this frequency to the frequency of the ciphertext. The analyst would finally use the information found in the comparison to decode the ciphertext.

We can use the English language as an example. The frequency chart above states that the letter E occurs most often in the English language. A cryptanalyst would note the character that appears most often in the ciphertext and decipher it as E. He would use the E and its corresponding ciphertext to compute the encryption transformation method equation. The analyst can now use this transformation equation to find a decryption transformation method. Lastly, this newfound method is used to decode the ciphertext in its entirety.

Vigenère CipherThe vulnerability of affine transformation ciphers led to the creation of block ciphers. These ciphers use substitution on pieces or blocks of a plaintext message. The Vigenère cipher, named after Blaise de Vigenère (1523-1596) (Rosen, p. 269), used a key-word to create a block cipher. Plaintext would be encoded in blocks the same length as this keyword, using this keyword in a manner similar to that of an affine transformation.

Thus, the Vigenère cipher uses the subsequent algorithm.

Let n=the number of characters∈the keyword ,¿ let x=the number of characters∈the plaintext message

Let k be the vector that represents the numerical eqivalent of the keyword ,such that k={k1 , k2 , k3 ,…, kn }

After splittingthe plaintext into nblocks ,we will let pbe the numerical equivalent of the block of plaintext ,

such that p={p1 , p2 , p3, …, pn}, Then we will let the ciphertext cbe the num ericalequaivalent , such that

c= {c1 , c2 , c3 , …, cn } , wherec i ≡ pi+k i (mod 26 ) , 0≤ ci ≤ 25 , for i=1 ,2, 3 , …,x .

Rosen, p. 269

For example, if the plaintext message was “Let’s encipher this message” and the keyword was “number,” using the following method of substitution, we would have

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z0 1 2 3 4 5 6 7 8 9 10 11 1

213 14 15 1

617 18 19 2

021 22 23 2

425

n=6 ,

4

x=23 ,

p= {11 ,4 , 19 ,18 , 4 ,13 , 2 ,8 ,15 , 7 , 4 ,17 ,19 , 7 , 8 ,18 ,12 , 4 ,18 , 18 ,0 , 6 , 4 } ,k={13 , 20 ,12 ,1,4 ,17 } ,

c1=p1+k 1=11+13=24 (mod 26 )= y ,c2=p2+k 2=4+20=24 (mod 26 )= y ,c3=p3+k3=19+12=5 (mod 26 ) ,= fc4=p4+k4=18+1=19 (mod 26 )=t ,c5=p5+k5=4+4=8 (mod 26 )=i ,c6=p6+k6=13+17=4 (mod 26 )=e ,

c7=p7+k1=2+13=15 (mod 26 )= p ,c8=p8+k2=8+20=2 (mod 26 )=c ,…

c23=p23+k5=4+4=8 (mod 26 )=i .

Where the encryption method could be envisioned as follows:

Block Position 1

Block Position 2

Block Position 3

Block Position 4

Block Position 5

Block Position 6

L E T S E NC I P H E RT H I S M ES S A G E

Plaintext: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Block Position 1 N O P Q R S T U V W X Y Z A B C D E F G H I J K L M

Block Position 2 U V W X Y Z A B C D E F G H I J K L M N O P Q R S T

Block Position 3 M N O P Q R S T U V W X Y Z A B C D E F G H I J K L

Block Position 4 B C D E F G H I J K L M N O P Q R S T U V W X Y Z A

Block Position 5 E F G H I J K L M N O P Q R S T U V W X Y Z A B C D

Block Position 6 R S T U V W X Y Z A B C D E F G H I J K L M N O P Q

The message would be encrypted to the followingBlock

Position 1Block

Position 2Block

Position 3Block

Position 4Block

Position 5Block

Position 6Y Y F T I EP C B I I I

5

G B U T Q VF M M H I

Finally, the message would be transmitted as “yyftiepcbiiigbutqvfmmhi.” As you see, the letter “I” is the highest occurring character in frequency, but “I” in ciphertext can translate to the letters “V, O, W, H, E, or R” in plaintext, thus making the use of frequency analysis useless.

One-Time Pad CipherThe Vigenère cipher was only as good as its key. If the keyword was discovered by cryptanalyst’s, the secret message could then easily be deciphered. During the era of World War I, a US Cryptographer, Joseph Mauborgne, decided that he could still use the basic principles of the Vigenère cipher, and it would be very useful if there were a manner in which a stronger key could be created. Thus, the one-time pad cipher was created. This was a Vigenère cipher with a key that was used only once, that was longer than the message itself, and it was a completely random string of variables. This made the key much more difficult to guess and far less susceptible to cryptanalysis. (Higgins, p. 238-9)

Vernam CipherA variation of the one-time pad cipher was the Vernam cipher, created in 1917 to automatically encrypt and decrypt telegraph messages. It was named for Gilbert Vernam (1890-1960) (Rosen, p. 276). One-time pad ciphers and Vernam ciphers are considered to be a form of stream ciphers.

A sequence k1 k2 k3⋯ of elements from a keyspace K is called a keystream. The encryption function corresponding to the key k i is denoted by Ek i

. A stream cipher is a cipher that sends a plaintext string p1 p2 p3⋯ ,using a keystream k1 k2 k3⋯ , to a ciphertext string c1 c2c3⋯ , where c i=E k i

( pi ) . The corresponding decryption

function is Dd i(ci), whered i is a decryption key corresponding to the encryption keyk i

.Rosen, p. 275

Vernam used a bit string which was equal in length to the plaintext message that was also represented as a bit string. The plaintext bit string was encrypted using

Ek i( pi ) ≡k i+ pi(mod 2)

Rosen p. 276Exactly two different encryption maps are used in a Vernam cipher. When k i=0, Ek i

is the identity map that sends 0 to 0 and 1 to 1. When k i=1, Ek i is the map that sends

0 to 1 and 1 to 0. The corresponding decryption transformation Dd i is identical to Ek i

.Rosen p. 276

Autokey CipherVigenère is also credited for creating the autokey cipher. For this cipher, we use a one character seed key. We then use this seed key in conjunction with the first

6

character of the plaintext. The keystream is created using the seed key and the numerical equivalent of the plaintext with the exclusion of the first character of the plaintext, such that

c i ≡ pi+k i(mod 26) for:

c=thenumerical equivalent of theciphertextp=thenumerical equ ivalent of the plaintext character

i=the character positions= thenumerical equivalent of the seed character

k=the numerical equivalent of the keystream character ,where k i=s

¿k i+ p I−1 for i≥ 2Rosen p. 277

As an example, we can use “EMU MATHEMATICS” as our plaintext message, and the encryption algorithm, c i ≡ pi+k i(mod 26), with s = y = 24. With the following plaintext substitutions we have

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z0 1 2 3 4 5 6 7 8 9 10 11 1

213 14 15 1

617 18 19 2

021 22 23 2

425

Plaintext E M U M A T H E M A T I C SNumericalPlaintext 4 12 20 12 0 19 7 4 12 0 19 8 2 18NumericalKeystream

24 4 12 20 12 0 19 7 4 12 0 19 8 2

NumericalCiphertext 28 16 32 32 12 19 26 11 16 12 19 27 10 20Ciphertext C Q G G M T A L Q M T B K U

Thus, we have:c1=4+24=28 (mod 26 )=2(mod 26)

c2=12+4=16 (mod 26 )c3=20+12=32 (mod 26 )=6(mod 26)c4=12+20=32 (mod 26 )=6(mod 26)

c5=0+12=12 (mod 26 )c6=19+0=19 (mod 26 )

c7=7+19=26 (mod 26 )=0 (mod 26)c8=4+7=11 (mod 26 )

c9=12+4=16 (mod 26 )c10=0+12=12 (mod 26 )c11=19+0=19 (mod 26 )

c12=8+19=27 (mod 26 )=1(mod 26)c13=2+8=10 (mod 26 )

7

c14=18+2=20 (mod 26 )So, c= [2 ,16 ,6 ,6 ,12 , 19 ,0 ,11 , 16 , 12,19 ,1, 10 , 20 ], and the ciphertext is “CQGGMTALQMTBKU.”

Book CipherThe book cipher was an alternative solution to creating a more secure key with the Vigenère cipher. Cryptographers would compose a somewhat lengthy text that would be used as a key. In this case,

The words of the book are then numbered, 1, 2, … , and so on up to however may words can be produced. If the sender wishes to code the message PAP, she starts reading the book and follows through till she finds the first word beginning with P: it may be the 40th word, in which case the plaintext P is enciphered as the number 40. Since the next letter is A, she would find a word beginning with A, it might be 8, so that would become the next cipher symbol. To encipher the final P, she would locate the next word in the text beginning with P, it might be word number 104, and so her enciphered message would be 40 8 104. Without the ‘book’ this is a near impossible code to break, even if long messages are intercepted.

Higgins, p. 241

Hill CipherThe Hill cipher was created by Lester Hill in 1929 (Rosen, p. 271). This cipher is best described using linear algebra in addition to modular arithmetic. The key can be represented by an n x n matrix, where we divide the plaintext into n blocks of text. We then encode each block of text, using the n x n matrix, as a linear combination of the plaintext block, thus we use the following substitution method to convert the plaintext into its numerical equivalent (Rosen, P. 271-4).

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z0 1 2 3 4 5 6 7 8 9 10 11 1

213 14 15 1

617 18 19 2

021 22 23 2

425

We thenlet A , C ,∧P be matrices suchthatC is the numerical equivalent of the encrypted text ,A is then x nencipheringkey withthe det ( A ) ,26=1 ,

¿ P isthe numerical equivalent of the plaintext .

The plaintext is enciphered as follows:C ≡ AP(mod 26). (Rosen, p. 272)

The ciphertext is deciphered as P ≡ A−1C (mod 26). (Rosen, p. 272)

As an example, we can let n=5 with the enciphering matrix

8

A=(1 2 3 5 8

13 21 33 54 877 11 13 17 19

23 29 31 37 4130 31 11 2 43

)We can encipher the plaintext message “lets encipher this message,” and thus

P= {11 , 4 , 19 ,18 , 4 ,13 ,2 , 8 ,15 ,7 , 4 ,17 ,19 ,7 ,8 ,18 , 12 , 4 ,18 ,18 ,0 , 6 , 4 } , where

p1 p2 p3 p4 p5={11 ,4 ,19 , 18 ,4 }p6 p7 p8 p9 p10={13 , 2 ,8 , 15 , 7 }

p11 p12 p13 p14 p15={4 , 17 , 19 ,7 ,8 }p16 p17 p18 p19 p20={18 ,12, 4 ,18 ,18 }

p21 p22 p23={0 ,6 ,4 ,25 ,25 },

Notice that we use the letter Z = 25 (mod 26) as our dummy variable to create a 5 x 1 vector. We can now compute the ciphertext as follows.

c1 …c5=(1 2 3 5 8

13 21 33 54 877 11 13 17 1923 29 31 37 4130 31 11 2 43

)(11419184

)=(1616222013

)mod(26)

c6 …c10=(1 2 3 5 813 21 33 54 877 11 13 17 1923 29 31 37 4130 31 11 2 43

)(1328

157

)=(162271713

)mod(26)

c11…c15=(1 2 3 5 8

13 21 33 54 877 11 13 17 19

23 29 31 37 4130 31 11 2 43

)(4

171978

)=(12451918

)mod (26)

c16 …c20=(1 2 3 5 8

13 21 33 54 877 11 13 17 19

23 29 31 37 4130 31 11 2 43

)(181241818

)=(2

10222

24)mod(26)

9

c21 …c23=(1 2 3 5 8

13 21 33 54 877 11 13 17 19

23 29 31 37 4130 31 11 2 43

)(064

2525

)=(11134

123

)mod (26)

We now have C={16 ,16 ,22, 20 , 13 ,16 ,22 ,7 ,17 ,13 , 12,4 , 5 ,19 ,18 ,2,10 ,22 ,2 ,24,11 ,13 , 4 ,12, 3 }

Our enciphered message is now “qqwunqwhrnmeftsckwcylnemd.”

The Hill cipher becomes vulnerable to cryptanalysis when n is small. For n = 2 as an example, the Hill cipher is still vulnerable to frequency analysis where “TH” and “HE” are the most frequent occurring blocks of two in the English language (Rosen, p. 274). The larger n is, the least susceptible it is to frequency analysis.

MODERN ERAAdvancements in cryptology seem to run parallel with the advancements of computer science. As the world becomes smaller through the constant progression of computing and the ever expanding development of global infrastructures, the needs for a more secure method of private communication seem to increase exponentially. The following are excerpts from varying resources explaining the more advanced cryptosystems of our modern era. If you wish to explore any of these excerpts in more detail, please visit the sources that are listed in the reference section of this publication. There are also links throughout the publication that can be seen in an online version at http://srs41978.webs.com/2009Symposium.htm.

Exponentiation CipherIn 1978, Pohlig and Hellman created a cipher based on modular exponentiation (Rosen, p. 282). This cipher connects the ciphers of the past to the ciphers of our current era. This cipher is simple to create, but it represents a level of resistance to cryptanalysis that far surpasses that of the ciphers of the past. Analyzing these messages without an enciphering key is a slow and difficult process (Rosen, p. 284). The security of the exponentiation cipher more closely resembles those of the current era.

The enciphering algorithm for the exponentiation cipher is

C ≡ P e (mod p ) ,0 ≤C ≤ p ,

p=a prime numbere=the enciphering keyP=the plaintext block

C=the ciphertext blockRosen, p. 282

The deciphering algorithm for the exponentiation cipher is

10

P ≡C d (mod p ) ,where d isthe inverse of e suchthat d∗e≡1(mod p−1)

Rosen, p. 283

To use the enciphering algorithm, we must first substitute the plaintext characters as follows.

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z00

01 02 03

04 05 06

07 08 09

10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

We then determine m, the number of characters to be included in a block. This then translates to 2*m digit blocks (Holden, p. 3).

Notice that the largest integer substitution in the preceding table is Z = 25. If, for example, we choose to have m = 2, the largest possible character block is ZZ, thus the largest possible 2*m digit block is 2525. The algorithm requires that we select a prime number between m and m+1(Ikenaga, par. 7). Thus, in our example we will let m=2 and we must select p, a prime, that satisfies 2525 ≤ p ≤ 252525. For our example, we will also let e=31 and p=2557. I will encipher “EMU MATHEMATICS” using C ≡ P31(mod 2557).

Plaintext Blocks

EM UM AT HE MA TI CS0412 2012 0019 0704 1200 1908 0218

CiphertextBlocks 0647 0276 1937 1737 0319 1524 0787

Thus we have C ≡ 041231 (mod 2557 )=0647C ≡ 201231 (mod 2557 )=0276C ≡ 001931 (mod 2557 )=1937C ≡ 070431 (mod 2557 )=1737C ≡ 120031 (mod 2557 )=0319C ≡ 190831 (mod 2557 )=1524C ≡ 021831 (mod 2557 )=0787

Finally, our ciphertext message becomes: {0647, 0276, 1937, 1737, 0319, 1524, 0787}.

Although the exponentiation cipher is fairly simple to create, it is only a theoretical cipher. This cipher is slow to create in comparison to other private key ciphers. This cipher was also created at a time when public key cryptosystems were being explored, and it was soon determined that public key ciphers were more convenient and viable.

Public Key CryptosystemThe public key (or asymmetric) cryptosystem was created in the 1973 by James H. Ellis, Clifford Cocks, and Malcolm Williamson at the British Intelligence agency, GCHQ in the

11

UK (wiki Public-key cryptography, par. 14 & Higgins, p.253). This system is the basis for present day internet communications. Here, the enciphering keys are public since

unrealistically large amount[s] of computer time … [are] required to find a decrypting transformation from an encrypting transformation. To use a public-key cryptosystem to establish secret communications in a network of n individuals, each individual produces a key of the type specified by the cryptosystem, retaining certain private information that went into the construction of the encrypting transformation E (k ),obtained from the key k according to a specified rule. Then a directory of the n keys k1 , k2 ,⋯ , k n is published. When individual i whishes to send a message to individual j, the letters of the message are translated into their numerical equivalents and combined into blocks of specified size. Then, for each plaintext block P a corresponding ciphertext block C=Ek j

(P ) is computed using the encrypting

transformation Ek j . To decrypt the message, individual j applies the decrypting transformation

Dk j to each ciphertext block C to find P; that is,

Dk j(C )=D k j (E k j

( P ) )=PBecause the decrypting transformation Dk j

cannot be found in a realistic amount of time by anyone other than individual j, no unauthorized individuals can decrypt the message, even though they know the key k j. Furthermore, cryptanalysis of the ciphertext message, even with knowledge of k j , is extremely infeasible due to the large amount of computer time needed.

Rosen p. 285-6

Knapsack CipherThis cipher was created by Ralph Merkle and Martin Hellman in 1978 (Wikipedia Merkle-Hellman article, par. 1). It was considered as one of the first public key cryptosystems, but was soon dismissed as the algorithm was soon discovered to be more susceptible to cryptanalysis than the other cryptosystems of its generation.

The knapsack problem states that “given a set of positive integers a1 , a2 ,⋯ ,an and an integer S, the knapsack problem [will ask] which of these integers, if any, adds together to give S. [Thus], for values of x1, x2,⋯ , xn each either 0 or 1, such that S=a1 x1+a2 x2+⋯+an xn” (Rosen, p. 292).

Key generationIn Merkle-Hellman, the keys are comprised of knapsacks. The public key is a 'hard' knapsack, and the private key is an 'easy', or superincreasing, knapsack, combined with two additional numbers, a multiplier and a modulus, which were used to convert the superincreasing knapsack into the hard knapsack. These same numbers are used to transform the sum of the subset of the hard knapsack into the sum of the subset of the easy knapsack, which is solvable in polynomial time.

EncryptionTo encrypt a message, a subset of the hard knapsack is chosen by comparing it with a set of bits (the plaintext), equal in length to the key, and making each term in the public key that corresponds to a 1 in the plaintext an element of the subset, while ignoring the terms corresponding to 0 terms in the plaintext. The elements of this subset are added together, and the resulting sum is the ciphertext.

Decryption

12

Decryption is possible because the multiplier and modulus used to transform the easy, superincreasing knapsack into the public key can also be used to transform the number representing the ciphertext into the sum of the corresponding elements of the superincreasing knapsack. Then, using a simple greedy algorithm, the easy knapsack can be solved using O(n) arithmetic operations, which decrypts the message.

Key generationTo encrypt n-bit messages, choose a superincreasing sequence

w = (w1, w2, ..., wn)of n nonzero natural numbers. Pick a random integer q, such that

q> ,and a random integer, r, such that gcd(r,q) = 1.q is chosen this way to ensure the uniqueness of the ciphertext. If it is any smaller, more than one plaintext may encrypt to the same ciphertext. r must be coprime to q or else it will not have an inverse mod q. The existence of the inverse of r is necessary so that decryption is possible.Now calculate the sequence

β = (β1, β2, ..., βn)where

βi = rwi mod q.The public key is β, while the private key is (w, q, r).

EncryptionTo encrypt an n-bit message

α = (α1, α2, ..., αn),where αi is the i-th bit of the message and αi {0, 1}, calculate

.The cryptogram then is c.

DecryptionIn order to decrypt a ciphertext c a receiver has to find the message bits αi such that they satisfy

.This would be a hard problem if the βi were random values because the receiver would have to solve an instance of the subset sum problem, which is known to be NP-hard. However, the values βi were chosen such that decryption is easy if the private key (w, q, r) is known.

The key to decryption is to find an integer s that is the modular inverse of r modulo q. That means s satisfies the equation s r mod q=1 or equivalently there exist an integer k such that sr = kq + 1. Since r was chosen such that gcd(r,q)=1 it is possible to find s and k by using the Extended Euclidean algorithm. Next the receiver of the ciphertext c computes

Hence

13

Because of rs mod q = 1 and βi = rwi mod q follows

Hence

The sum of all values wi is smaller than q and hence is also in the interval [0,q-1]. Thus the receiver has to solve the subset sum problem

This problem is easy because w is a super-increasing sequence. Take the largest element in w, say wk. If wk > c' , then αk = 0, if wk≤c' , then αk = 1. Then, subtract wk×αk from c' , and repeat these steps until you have figured out α.

Wikipedia Merkle-Hellman article, par. 3-8

RSAThe RSA cryptosystem was created by and named after Ronald Rivest, Adi Shamir, and Leonard Adleman in the 1970s. The cryptosystem was made public in 1977 and was patented in 1983 (Wikipedia RSA article, par. 3-5). This cryptosystem uses modular exponentiation and very large prime numbers to generate ciphers. RSA is as secure as the size of the prime number that it uses to create ciphers, meaning, the smaller the prime number, the more susceptible the system is to cryptanalysis. As the prime number grows in size, so does the security of the RSA cryptosystem. This system is still used to this very day in e-commerce (Wikipedia RSA article, par. 2). It is said to be “the most commonly used public-key algorithm” (SSH Communications Security, par. 34). To remain secure with modern technology and computing capabilities, it is suggested that the RSA cryptosystem should use a prime number that is at least 2048 bits long.

[RSA operates in] a public key cryptosystem … where the keys are pairs (e, n), consisting of an exponent e and a modulus n that is the product of two large primes; that is, n=pq, where p and q are large primes, so that (e , ф (n ) )=1. To encrypt a message, we first translate the letters into their numerical equivalents and then form blocks of the largest possible size (with an even number of digits). To encrypt a plaintext block P, we form a ciphertext block C by

E ( P )=C ≡ Pe (mod p ) , 0≤C ≤n.

The decrypting procedure requires knowledge of an inverse d of e modulo ф (n ), which exists because (e , ф (n ) )=1. To decrypt the ciphertext block C, we find

D (C ) ≡Cd=( Pe )d=ped=pkф ( n)+1 ≡ ( Pф (n) )k P ≡ P (mod n ),

14

where ed=kф ( n )+1 for some integer k because ed ≡1 (mod ф (n ) ), and by Euler’s

theorem, we have Pф ( n) ≡ 1 (mod n ), when ( P , n )=1 (the probability that P and n are not relatively prime is extremely small). The pair (d, n) is a decrypting key.

Rosen p.286-7

RSA has been so successful that one of its creators went on to cofound an encryption and security company. They hold regular contests and experimentation for prime factorization and to test the security of the RSA cryptosystem. If you would like to explore this matter in more detail I suggest visiting the RSA website at www.rsa.com or reading the RSA wikipedia article at http://en.wikipedia.org/wiki/RSA which provides many hyperlinks that will explain the advancements of the RSA cryptosystem in more detail.

To further explore primality tests and/or the Prime Number Theorem, I suggest reading the texts listed in the references section of this publication.

RabinThe Rabin cryptosystem was published and named after Michael Rabin in 1979 (Wikipedia Rabin Cryptosystem article, par. 2).

The Rabin cryptosystem may be seen as a relative of RSA, although it has a quite different decoding process. What makes it interesting is that breaking Rabin is provably equivalent to factoring.

Rabin uses the exponent 2 (or any even integer) instead of odd integers like RSA. This has two consequences. First, the Rabin cryptosystem can be proven to be equivalent to factoring; second, the decryption becomes more difficult - at least in some sense. The latter is due to problems in deciding which of the possible outcomes of the decryption process is correct.

As it is equivalent to factoring the modulus, the size of the modulus is the most important security parameter. Moduli of more than 1024 bits are assumed to be secure.

There are currently no standards for the Rabin algorithm but it is explained in several books. The IEEE P1363 project might propose a standard and thus make it more widely used.

The equivalence to factoring means only that being able to decrypt any message encrypted by the Rabin cryptosystem enables one to factor the modulus. Thus it is no guarantee of security in the strong sense.

SSH Communications Security, par. 40-44

Diffie-Hellman Key Exchange SystemThe Diffie-Hellman Key Exchange System was created in 1976 by Whitfield Diffie and Martin Hellman (Wikipedia Diffie-Hellman Key Exchange article, par. 3). It does not encipher and decipher messages. The purpose if this system is to aid in a secure key distribution over a public key cryptosystem.

15

The protocol has two system parameters p and g. They are both public and may be used by all the users in a system. Parameter p is a prime number and parameter g (usually called a generator) is an integer less than p, with the following property: for every number n between 1 and p-1 inclusive, there is a power k of g such that n = gk mod p.

Suppose Alice and Bob want to agree on a shared secret key using the Diffie-Hellman key agreement protocol. They proceed as follows: First, Alice generates a random private value a and Bob generates a random private value b. Both a and b are drawn from the set of integers . Then they derive their public values using parameters p and g and their private values. Alice's public value is ga mod p and Bob's public value is gb mod p. They then exchange their public values. Finally, Alice computes gab = (gb)a mod p, and Bob computes gba = (ga)b mod p. Since gab = gba = k, Alice and Bob now have a shared secret key k.

The protocol depends on the discrete logarithm problem for its security. It assumes that it is computationally infeasible to calculate the shared secret key k = gab mod p given the two public values ga mod p and gb mod p when the prime p is sufficiently large. Maurer [Mau94] has shown that breaking the Diffie-Hellman protocol is equivalent to computing discrete logarithms under certain assumptions.

The Diffie-Hellman key exchange is vulnerable to a man-in-the-middle attack. In this attack, an opponent Carol intercepts Alice's public value and sends her own public value to Bob. When Bob transmits his public value, Carol substitutes it with her own and sends it to Alice. Carol and Alice thus agree on one shared key and Carol and Bob agree on another shared key. After this exchange, Carol simply decrypts any messages sent out by Alice or Bob, and then reads and possibly modifies them before re-encrypting with the appropriate key and transmitting them to the other party. This vulnerability is present because Diffie-Hellman key exchange does not authenticate the participants. Possible solutions include the use of digital signatures and other protocol variants.

The authenticated Diffie-Hellman key agreement protocol, or Station-to-Station (STS) protocol, was developed by Diffie, van Oorschot, and Wiener in 1992 [DVW92] to defeat the man-in-the-middle attack on the Diffie-Hellman key agreement protocol. The immunity is achieved by allowing the two parties to authenticate themselves to each other by the use of digital signatures (see Question 2.2.2) and public-key certificates (see Question 4.1.3.10).

Roughly speaking, the basic idea is as follows. Prior to execution of the protocol, the two parties Alice and Bob each obtain a public/private key pair and a certificate for the public key. During the protocol, Alice computes a signature on certain messages, covering the public value ga mod p. Bob proceeds in a similar way. Even though Carol is still able to intercept messages between Alice and Bob, she cannot forge signatures without Alice's private key and Bob's private key. Hence, the enhanced protocol defeats the man-in-the-middle attack.

In recent years, the original Diffie-Hellman protocol has been understood to be an example of a much more general cryptographic technique, the common element being the derivation of a shared secret value (that is, key) from one

16

party's public key and another party's private key. The parties' key pairs may be generated anew at each run of the protocol, as in the original Diffie-Hellman protocol. The public keys may be certified, so that the parties can be authenticated and there may be a combination of these attributes. The draft ANSI X9.42 (see Question 5.3.1) illustrates some of these combinations, and a recent paper by Blake-Wilson, Johnson, and Menezes provides some relevant security proofs.

RSA Laboratories, par. 2-8

For a more in depth explanation of the Diffie-Hellman Key Exchange System please read New Directions in Cryptography by Whitfield Diffie and Martin Hellman at http://www.cs.berkeley.edu/~christos/classics/diffiehellman.pdf.

Shamir Three-Pass ProtocolThe three-pass protocol was created by Adi Shamir in 1980 (Wikipedia Three-Pass Protocol article, par. 2).

The protocol uses an encryption function E and a decryption function D. The encryption function uses an encryption key e to change a plaintext message m into an encrypted message, or ciphertext, E(e,m). Corresponding to each encryption key e there is a decryption key d which allows the message to be recovered using the decryption function, D(d,E(e,m))=m. Sometimes the encryption function and decryption function are the same.

In order for the encryption function and decryption function to be suitable for the Three-Pass Protocol they must have the property that for any message m, any encryption key e with corresponding decryption key d and any independent encryption key k,  D(d,E(k,E(e,m))) = E(k,m). In other words, it must be possible to remove the first encryption with the key e even though a second encryption with the key k has been performed. This will always be possible with a commutative encryption. A commutative encryption is an encryption that is order-independent, i.e. it satisfies E(a,E(b,m))=E(b,E(a,m)) for all encryption keys a and b and all messages m. Commutative encryptions satisfy D(d,E(k,E(e,m))) = D(d,E(e,E(k,m))) = E(k,m).

The Three-Pass Protocol works as follows:

1. The sender chooses a private encryption key s and a corresponding decryption key t. The sender encrypts the message m with the key s and sends the encrypted message E(s,m) to the receiver.

2. The receiver chooses a private encryption key r and a corresponding decryption key q and super-encrypts the first message E(s,m) with the key r and sends the doubly-encrypted message E(r,E(s,m)) back to the sender.

3. The sender decrypts the second message with the key t. Because of the commutativity property described above D(t,E(r,E(s,m)))=E(r,m) which is the message encrypted with only the receiver's private key. The sender sends this to the receiver.

The receiver can now decrypt the message using the key q, namely D(q,E(r,m))=m the original message.

Notice that all of the operations involving the sender's private keys s and t are performed by the sender, and all of the operations involving the receiver's private keys r and q are performed by the receiver, so that neither party needs to know the other

17

party's key s… The Shamir algorithm uses exponentiation modulo a large prime as both the encryption and decryption functions. That is E(e,m) = me mod p and D(d,m) = md mod p where p is a large prime. For any encryption exponent e in the range 1..p-1 with gcd(e,p-1) = 1. The corresponding decryption exponent d is chosen such that de ≡ 1 (mod p-1). It follows from Fermat's Little Theorem that D(d,E(e,m)) = mde mod p = m.

The Shamir protocol has the desired commutativity property since E(a,E(b,m)) = mab mod p = mba mod p = E(b,E(a,m)).

Wikipedia Three Pass Protocol article, par. 3-8

Massey-Omura CryptosystemThe Massey-Omura Cryptosystem was proposed by James Massey and Jim K. Omura in 1982 as a possible improvement over the Shamir protocol. The Massey-Omura method uses exponentiation in the Galois field GF(2n) as both the encryption and decryption functions. That is E(e,m)=me and D(d,m)=md where the calculations are carried out in the Galois field. For any encryption exponent e with 0<e<2n-1 and gcd(e,2n-1)=1 the corresponding decryption exponent is d such that de ≡ 1 (mod 2n-1). Since the multiplicative group of the Galois field GF(2n) has order 2n-1 Lagrange's theorem implies that mde=m for all m in GF(2n)* .Each element of the Galois field GF(2n) is represented as a binary vector over a normal basis in which each basis vector is the square of the preceding one. That is, the basis vectors are v1, v2, v4, v8, ... where v is a field element of maximum order. By using this representation, exponentiations by powers of 2 can be accomplished by cyclic shifts. This means that raising m to an arbitrary power can be accomplished with at most n shifts and n multiplications. Moreover, several multiplications can be performed in parallel. This allows faster hardware realizations at the cost of having to implement several multipliers.

Wikipedia Three Pass Protocol article, par. 9-10

Elgamal CryptosystemThe Elgamal cryptosystem was based upon the Diffie Hellman key exchange and created in 1984 by Taher Elgamal (Wikipedia ElGamal encryption article, par. 1).

ElGamal encryption consists of three components: the key generator, the encryption algorithm, and the decryption algorithm.

The key generator works as follows:

Alice generates an efficient description of a multiplicative cyclic group of order with generator . See below for a discussion on the required properties of this group.

Alice chooses a random from .

Alice computes .

Alice publishes , along with the description of , as her public key. Alice retains as her private key which must be kept secret.

18

The encryption algorithm works as follows: to encrypt a message to Alice under her

public key ,

Bob converts into an element of .

Bob chooses a random from , then calculates

and .

Bob sends the ciphertext to Alice.

The decryption algorithm works as follows: to decrypt a ciphertext with her private key ,

Alice computes as the plaintext message.

The decryption algorithm produces the intended message, since

If the space of possible messages is larger than the size of , then the message can be split into several pieces and each piece can be encrypted independently. Alternately, ElGamal may be used in a hybrid cryptosystem to improve efficiency on long messages.

Wikipedia ElGamal encryption article, par. 3-7

CONCLUSIONThis history of cryptology ends at roughly the early-mid 1980s. In addition to constraints in time and resources, I chose this end point because most present time cryptosystems are based upon the foundations of the cryptosystems discussed in this piece. The modifications are very minor; typically they have the addition of digital signatures or other authenticating algorithms. Otherwise, the basic key creation, encryption, and decryption methods are virtually the same. There is a constant flow of research involving cryptology and its most current algorithms. Public and private agencies hold annual conferences and research contests to test the stability and susceptibility of our current cryptosystems to cryptanalysis. Although some codes have been broken, they may still be used since it is very difficult to apply methods of cryptanalysis and very costly to change cryptosystems.

Typically, the research to aid in the security of these cryptosystems are not published to the public, but I would like to draw attention to some very important algorithms and standards that assist in the security and reliability of the more recent cryptosystems by providing some web links to wikipedia articles that briefly discuss these algorithms and standards in some detail.

Data Encryption Standard (DES) http://en.wikipedia.org/wiki/Data_Encryption_Standard

19

Digital Signature Algorithm (DSS) http://en.wikipedia.org/wiki/Digital_Signature_Algorithm

Advanced Encryption Standard (AES) http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

The next generation of cryptology will be based upon theories in quantum mechanics (see http://en.wikipedia.org/wiki/Quantum_mechanics for more information regarding this topic) and include an exploration into quantum cryptography (see http://en.wikipedia.org/wiki/Quantum_cryptography for more information regarding this topic) through the use of quantum computers (see http://en.wikipedia.org/wiki/Quantum_computers for more information regarding this topic).

For a more detailed, but a more succinctly discussed timeline of cryptology/cryptography please visit http://en.wikipedia.org/wiki/Timeline_of_cryptography, https://www.securetrust.com/resources/crypto-uni/, http://users.telenet.be/d.rijmenants/en/timeline.htm, or see the text A Brief History of Cryptology by J. V. Boone: published by The Naval Institute Press in Annapolis, Maryland in 2005.

We have discussed more than twenty different topics relating to cryptology, cryptography, cryptosystems, and cryptanalysis, but this is only a small fraction of the studies of cryptology. There are other interesting topics, some that may or may not involve number theory or computer science, that were not discussed in this work due to varying research constraints. For much more information regarding the broad topic of cryptology/cryptography, I suggest visiting some of the sources in the references section that shortly follows, or conducting your own research using the words listed in the keywords section of this piece

20

REFERENCES

Diffie, W. & Hellman, M.E. “New Directions In Cryptography.” November 1976. Information Theory, IEEE Transactions, Volume 22, Issue 6, p. 644-654. 6 March 2009. <http://www.cs.berkeley.edu/~christos/classics/diffiehellman.pdf>

Higgins, Peter M. Number Story. London: Springer-Verlag London Limited, 2008.Holden, Joshua. The Pohlig-Hellman Exponentation Cipher as a Bridge Between Classical and

Modern Cryptography. August 2008 Slide Share. 6 March 2009. <http://www.slideshare.net/joshuarbholden/the-pohlighellman-exponentiation-cipher-as-a-bridge-between-classical-and-modern-cryptography>

Koblitz, Neal. Graduate Texts in Mathematics: A Course in Number Theory and Cryptography 2nd. Ed. London: Springer-Verlag London Limited, 1994.

Rosen, Kenneth H. Elementary Number Theory and its applications 4 th . Ed. Addison-Wesley, 2000.

RSA Laboratories. “Historical.” 3.6.1 What is Diffie-Hellman? 2009. RSA Security. 6 March 2009. <http://www.rsa.com/rsalabs/node.asp?id=2248>

SSH Communications Security. “Algorithms: Public-Key Cryptosystems (Asymmetric Ciphers).” RSA. 2009. SSH Communications Security. 6 March 2009. <http://www.ssh.com/support/cryptography/algorithms/asymmetric.html>

Wikipedia. “Diffie-Hellman key exchange.” 13 March 2009. Wikipedia Foundation, Inc. 16 March 2009. <http://en.wikipedia.org/wiki/Diffie-Hellman>

Wikipedia. “ElGamal encryption.” 9 March 2009. Wikipedia Foundation, Inc. 16 March 2009. <http://en.wikipedia.org/wiki/ElGamal_cryptosystem>

Wikipedia. “Merkle-Hellman.” 2 March 2009. Wikipedia Foundation, Inc. 6 March 2009. <http://en.wikipedia.org/wiki/Merkle-Hellman>

Wikipedia. “Public-key cryptography.” 14 March 2009. Wikipedia Foundation, Inc. 18 March 2009. <http://en.wikipedia.org/wiki/Public-key_cryptography>

Wikipedia. “Rabin cryptosystem.” 18 February 2009. Wikipedia Foundation, Inc. 6 March 2009. <http://en.wikipedia.org/wiki/Rabin_cryptosystem>

Wikipedia. “RSA.” 16 March 2009. Wikipedia Foundation, Inc. 16 March 2009. <http://en.wikipedia.org/wiki/RSA>

Wikipedia. “Three-pass protocol.” 13 October 2008. Wikipedia Foundation, Inc. 6 March 2009. <http://en.wikipedia.org/wiki/Three-pass_protocol#Massey-Omura_cryptosystem>

21