Cryptography Reference
In-Depth Information
Point 2 makes it hard to exploit more than the first ciphertext block. Otherwise, a
sufficiently long plaintext (perhaps only 18 blocks long, i.e., 4.5 Kbytes) would
already be the key to success. However, Point 1 turns
fcrypt
into a non-linear
mapping, which means that we are back to having to rely on chosen plaintexts.
(Adding or XORing a byte wouldn't change anything in our consideration as
to what bytes will or won't change.) On the other hand, we could pick out
plaintext blocks that differ little from the beginning of messages to eventually
reveal the matrix. As far as the method is concerned, it would certainly be a
fascinating and challenging task, but its actual benefit is doubtful.
As a sideline, thanks to the complications under Points 1 and 2,
fcrypt
acquires
excellent statistical properties. I encrypted a sequence composed of ten million
line break characters ('
n'); the ciphertext showed no cycle whatsoever and
behaved like a sequence of very good random numbers in every respect. Also
thanks to the two complications, a plaintext attack wouldn't be as easy as one
might think. You can see that probability-theoretical statements have to be rated
very carefully — if statistics can't be used for cryptanalysis, there are still plenty
of other methods.
vigc crk
from Section 3.6.4 is an impressive example.
\
Transpositions and Differential Cryptanalysis
Transpositions (see Section 2.2) are even easier to break if we use differen-
tial cryptanalysis rather than
fcrypt
. Pure transpositions are linear, regardless
of whether they are bitwise or bytewise (with bitwise operations, we compute
modulo 2, as usual; otherwise modulo 256). This means that a few plaintext
blocks will do; we take them to form linear combinations (see Glossary) that
differ only in one bit or byte. Since we can compute the corresponding cipher-
texts as linear combinations
5
in the same way, we can see directly which bits
or bytes differ there, thus revealing the transposition just as directly. Here, too,
we need not know anything about the text's statistics; the only prerequisite is
that a sufficient number of plaintext blocks are linearly independent (i.e., none
of their linear combinations is zero). This prerequisite is very realistic.
Linear methods such as
fcrypt
(without the addition or XOR modification) and
transpositions are rewarding candidates for differential cryptanalysis, since they
can be mounted as plaintext attacks in cases like this. Generally, however, they
require chosen-plaintext attacks, often even with extremely extensive plaintext,
as we will see in Section 4.4 and Chapter 5.
5
This is the simplest linear algebra, except on a finite field.
