Before we start with the technical material, I want to tell you a little bit about the history of cryptography. There's a beautiful book on this topic by David Kahn called the codebreakers. It covers the history of cryptography all the way from the Babylonian era, to the present. Here, I'm just going to give you a few examples of historical ciphers, all of which are badly broken. So to talk about ciphers the first thing I'm going to do is introduce our friends Alice and Bob, who are gonna be with us for the rest of the quarter. So Alice and Bob are trying to communicate securely and there is an attacker who's trying to eavesdrop on their conversation. So to communicate securely, they're going to share a secret key, which I'll denote by K. They both know the secret key. But the attacker does not know anything about this key K. So now they're gonna use a cipher, which is a pair of algorithms, an encryption algorithm denoted by E, and a decryption algorithm, D. These algorithms work as follows: the encryption algorithm E takes the message M as inputs. And it takes as inputs, the key K. I'm gonna put a wedge above the key input just to denote the fact that this input is really the key input. And then it outputs a ciphertext. Which is the encryption of the message M using the key K. I'm always gonna write the key first. Now, and when I write: = what I mean is that the expression defines what C what the variable C stands for. Now the ciphertext is transmitted over the internet to Bob, somehow. Actually it could be transmitted over the internet. Could be transmitted using an encrypted file system, it doesn't really matter, but when the ciphertext reaches Bob, he can plug it into the decryption algorithm and give the decryption algorithm the same key K. Again, I'm gonna put a wedge here as well. To denote the key inputs and the decryption algorithm outputs the original plaintext message. Now the reason we say that these are symmetric ciphers is that both the encrypter and decrypter actually use the same key K. As we'll see later in the course, there are ciphers where the encrypter uses one key and the decrypter uses a different key. But here we're just going to focus on symmetric cipher where both sides use the same key. Okay, so let me give you a few historic examples of ciphers. The first example, the simplest one is called the substitution cipher. I am sure all of you played the substitution ciphers when you were in kindergarten. Basically a key for a substitution cipher is a substitution table that basically says how to map our letters. So here for example the letter A would be mapped to C, the letter B would be mapped to W the letter C would be mapped to N so on and so forth and then the letter Z would be mapped, say, to A. So this is one example of a key for a substitution cipher. So just to practice the notation we introduced before, the encryption of a certain message using this key, let's say the message is BCZA, the encryption of this message using this key here would be, is done by substituting one letter at a time. So B becomes W, C becomes N, Z becomes A, and A becomes C. So the encryption of BCZA is WNAC, and this defines the ciphertext. Similarly we can decrypt the ciphertext using the same key and of course we'll get back the original message. Okay. So, just for historical reasons, there is one example of something that's related to the substitution cipher called the Caesar cipher. The Caesar cipher, actually, is not really a cipher at all. And the reason is that it doesn't have a key. What a Caesar cipher is, is basically a substitution cipher where the substitution is fixed. Namely, it's a shift by three. So A becomes D, B becomes E, C becomes F and so on and so forth. What is it, Y becomes B and Z becomes C. It's a fixed substitution that's applied to all plaintext messages. So, again, this is not a cipher, because there is no key, the key is fixed. So if an attacker knows how our encryption scheme works, he can easily decrypt the message. The key is not random, and therefore, decryption is very easy once you understand how the scheme actually works. Okay, so now, let's go back to the substitution cipher, where the keys really are chosen at random, the substitution tables are chosen at random. And let's see how we break this substitution cipher. Turns out to be very easy to break. The first question is, how big is the key space? How many different keys are there, assuming we have 26 letters? So, I hope all of you said that, the number of keys is 26 factorial, because, a key, a substitution key, is simply a table, a permutation of all 26 letters. The number of permutations of 26 letters, is 26 factorial. If you calculate this out, twenty-sixth factorial is about two to the 88th, which means that describing a key in a substitution cipher takes about 88 bits. So, each key is represented by about 88 bits. Now, this is a perfectly fine size for a keyspace. In fact, we're gonna be seeing ciphers that are perfectly secure, or, you know, that are adequately secure, with key spaces that are roughly of this size. However, even though the substitution cipher has a large key space of size 2^88, it's still terribly insecure. So let's see how to break it. And to break it, we're going to be using letter frequencies. So the first question is, what is the most frequent letter in English text? So I imagine all of you know that, in fact, E is the most common letter. And that is gonna, if we make it quantitative, that's gonna help us break a substitution cipher. So just given the ciphertext, we can already recover the plaintext. So the way we do that is, first of all, using frequencies of English letters. So here's how this works. So you give me an encrypted message using the substitution cipher. All I know is that the plaintext is in English and I know that the letter E is the most frequent letter in English. And in fact, it appears 12.7 percent of the time in standard English texts. So what I'll do is I'll look at the ciphertext you gave me and I'm going to count how many times every letter appears. Now the most common letter in the ciphertext is going to be the encryption of the letter E with very high probability. So now I'm able to recover one entry in the key table. Mainly the letter, mainly now I know what the letter E maps to. The next, most common letter in English is the letter T, that appears about 9.1 percent of the time. So now again, I count how many times each letter appears in the ciphertext. And the second most frequent letter is very likely to be the encryption of the letter T. So now I've recovered a second entry in the key table. And I can continue this way. In fact, the letter A is the next most common letter; it appears 8.1 percent of the time. So now I can guess that the third most common letter in the ciphertext is the encryption of the letter A. And now I've recovered three entries in the key table. Well, so now what do I do? The remaining letters in English appear roughly same amount of time, other than some rare letters like Q and X. But we're kinda stuck at this point. We figured out three entries in the key table but what do we do next? So, the next idea is to use frequencies of pairs of letters. Sometimes these are called digrams. So, what I'll do is, I'll count how many times each pair of letters appears in the cipher text, and, I know that in English, the most common pairs of letters are things like, HE, AN. IN, I guess TH is another common pair of letters. And so I know that the most common pair of letters in the ciphertext is likely to be the encryption of one of these four pairs. And so by trial and error I can sort of figure out more entry ... more elements in the key table and again by more trial and error this way by looking at trigrams. I can actually figure out the entire key table. So the bottom line here is that in fact the substitution cipher is vulnerable to the worst possible type of attack namely a ciphertext only attack. Just given the ciphertext the attack that can recover the decryption key and therefore recover the original plaintext. So there's really no point in encrypting anything using the substitution cipher, because the attacker can easily decrypt it all; you might as well send your plaintext completely in the clear. So, now we're gonna fast-forward to the Renaissance, and, I guess we're moving from the Roman Era to the Renaissance, and look at a cipher designed by a fellow named Vigener, who lived in the sixteenth century. He designed a couple of ciphers. Here I'm gonna show you a variant of one of his ciphers, this is called a Vigener cipher. So, in a Vigener cipher, the key is a word. In this case the word, is CRYPTO, it's got six letters in it. And then to encrypt a message, what you do is, you write the message under the key. So in this case the message is "WHAT A NICE DAY TODAY" and then you replicate the key as many times as needed to cover the message. And then the way you encrypt is basically, you add the key letters to the message letters, modulo 26. So just to give you an example here, for example, if you add Y and A, you get Z. If you add T and A, you get U. And you do this for all the letters. And remember, whenever you add, you add modulo 26. So if you go past Z, you go back to A. So, that's the Vigener cipher. And in fact, decryption is just as easy as encryption. Basically, the way you would decrypt is, again, you would write the ciphertext under the key. You would replicate the key and then you would subtract the key from the ciphertext to get the original plain text message. So, breaking the Vigener cipher is actually quite easy. Let me show you how you do it. The first thing we need to do is we need to assume that we know the length of the key. So let's just assume we know that. In this case, the length of the key is six. And then what we do is we break the cipher text into groups of six letters each, okay? So we're gonna get a bunch, a bunch of groups like this. Each one, contains six letters. And then we're gonna look at, the first letter in each group. Okay? So, in this case, yes, we're looking at the first letter, every six characters. Now, what do we know about these six letters? We know that, in fact, they're all encrypted using the same letter in the ciphertext. All of these are encrypted using the letter c. In other words. Z L W is a shift by three of the plaintext letters. So if we collect all these letters then the most common letter among the set is likely to be the encryption of E, right? E is the most common letter in English, therefore, if I look at every sixth letter, the most common letter in that set is likely to be the encryption of the letter E. Ahah! So let's just suppose that in fact the most common letter every sixth letter happens to be the letter H. Then we know that E plus the first letter of the key is equal to H. That says that the first letter of the key is equal to H minus E. And in fact that is the letter C. So now we've recovered the first letter of the key. Now we can continue doing this with the second letter. So we look at the second letter in every group of six characters and again, we repeat the same exercise. We find the most common letter among the sets and we know that the most, this most common letter is likely the encryption of E and therefore whatever this letter, whatever this most common letter is if we subtract 'E' from it we're going to get the second letter of the key. And so on and so forth. With, the third letter every six characters. And this way we recover, the entire key. And that allows us to decrypt, the message. Now, the only caveat is that I had to assume ahead of time that I know the length of the key, which in this case is six. But if I don't know the length of the key ahead of time, that's not a problem either. What I would do is I would run this decryption procedure, assuming the key length is one. Then I'd run it assuming the key length is two. Then I would run it assuming the key lengths is three. And so on, and so on, and so on, until finally I get a message. I get a decryption that makes sense, that's sensical. And once I do that I know that I've kind of recovered the right length of the key and I know that I've also recovered the right key and therefore the right message. Okay? So very, very quickly, you can recover, you can decrypt Vigener cyphers. Again, this is a ciphertext only attack. The interesting thing is, Vigener had a good idea here. This addition mod 26 is actually a good idea, and we'll see that later, except it's executed very poorly here. And so we'll correct that, a little bit later. Okay, we're gonna fast-forward now from the Renaissance to, to the nineteenth century where everything became electric. And so people wanted to design ciphers that use electric motors. In particular, these ciphers are called rotor machines because they use rotors. So an early example is called the Hibber machine which uses a single motor. Here you have a picture of this machine. The, the motor, the, I guess the rotor is over here. And the secret key is captured by this disc here, it's embedded inside of this disc, which rotates by one notch every time you press a key on the typewriter, okay? So every time you, that you hit a key, the disc rotates by one notch. Now what does this key do? Well, the key actually encodes a substitution table. So ... and therefore, the disc actually is the secret key. And as I said, this disc encodes a substitution table. In this case, if you happen to press C as the first letter, output would be the letter T. And then the disc would rotate by one notch. After rotating, rotating by one notch, the new substitution table becomes the one shown here. You see that E, basically, moves up, and then the remaining letters move down. So imagine this is basically a two dimensional rendering of the disc rotating by one notch. Then you press the next letter. And the disc rotates again. You notice again N moved up and the remaining letters moved down. So in particular, if we hit the letter C three times, the first time we would output, the output would be T, the second time the output would be S, and the third time the output wold be K. So this is how the single rotor machine works and as it turned out very quickly after it was advertised it was again broken basically using letter frequency, digram frequencies and trigram frequencies. It's not that hard given enough ciphertext to directly recover the secret key and then the message. Again, a ciphertext only attack. So to kind of work against these frequency attacks, these statistical attacks, these rotor machines became more and more complicated over time. Until finally, I'm sure you've all heard of the Enigma. The Enigma is a kind of complicated rotor machine. It uses three, four, or five rotors. There are different versions of the Enigma machine. Here you see an example of the Enigma machine with three rotors. The secret key in the Enigma machine is the initial setting of the rotors. Okay. So in the case of three rotors there would be 26 cubed possible different keys. When you type on the typewriter basically these rotors here rotate at different rates. Oh, forgot to say this is a diagram of an Enigma machine using four rotors. As you type on the typewriter the rotors rotate and output the appropriate, letters of, the ciphertext. So in this case the number of keys is 26 to the fourth, which is two to the eighteen, which is relatively a small key space. Today you can kind of, brute-force a search using a computer through two to the eighteen different keys, very, very quickly. You know, my wristwatch can do it in just a few seconds, I guess. And so, these, this Enigma machine was, already was using relatively small key spaces. But I'm sure you've all heard that the British cryptographers at Bletchley Park were able to mount ciphertext only attacks on the Enigma machine. They were able to decrypt German ciphers back in World, in World War Two. And that played an important role in many different battles during the war. After the war, I guess that was the end kind of the mechanical age and started the digital age where folks were using computers. And as the world kind of migrated to using computers, the government realized that it's buying a lot of digital equipment from industry. And so they wanted industry to use a good cipher so that when it buys equipment from the, from industry, it would be getting equipment with, with a decent cipher. And so the government put out this request for proposal for a data encryption standard, a Federal data encryption standard. And we're gonna talk about this effort, in more detail later on in the course, but in 1974 a group at IBM put together a cipher that became known as DES, data encryption standard, which became a Federal standard for encrypting data. The key space for DES is two to the 56, which is relatively small these days, but was large enough back in 1974. And another interesting thing about DES is, rather than, unlike rotor machines which encrypt one character at a time the data encryption standard encrypts 64 bits at a time, namely eight characters at a time. And we'll see the significance of this later on in the course. Because DES uses such a small key space, these days it can be broken by a brute-force search and so these days DES is considered insecure and should not be used in projects. Unfortunately, it is used in some legacy systems, but it definitely is on its way out and definitely should not be used in new projects. Today there are new ciphers, things like the advanced encryption standard which uses 128 bit keys. Again, we'll talk about the advanced encryption standards in much more detail later on in the course. There are many, many other types of ciphers. I mentioned Salsa20 here. We'll see why in just a minute. But this is all for the quick historical survey and now we can get into the more technical material.