For some reason, good cryptography is just much harder than it looks. This field seems to have a continuous flow of experts from other fields who offer cryptographic variations of ideas which are common in their other field. Now, there is nothing wrong with new ideas. But there are in fact many extremely intelligent and extremely well-educated people with wide-ranging scientific interests who are active in this field. It is very common to find that so-called "new" ideas have been previously addressed under another name or as a general concept. Try to get some background before you get in too deep.
You may wish to help support this work by patronizing Ritter's Crypto Bookshop.
It is possible to transform or encipher a message or plaintext into "an intermediate form" or ciphertext in which the original information is present but hidden. Then we can release the transformed message (the ciphertext) without exposing the information it represents.
By using different transformations, we can create many different ciphertexts for the exact same message. So if we select a particular transformation "at random," we can hope that anyone wishing to expose the message ("break" the cipher) can do no better than simply trying all available transformations (on average, half) one-by-one. This is a brute force attack.
The difference between intermediate forms is the interpretation of the ciphertext data. Different ciphers and different keys will produce different interpretations (different plaintexts) for the exact same ciphertext. The uncertainty of how to interpret any particular ciphertext is how information is "hidden."
Naturally, the intended recipient needs to know how to transform or decipher the intermediate form back into the original message, and this is the key distribution problem.
By itself, ciphertext is literally meaningless, in the sense of having no one clear interpretation. In so-called perfect ciphers, any ciphertext (of appropriate size) can be interpreted as any message, just by selecting an appropriate key. In fact, any number of different messages can produce exactly the same ciphertext, by using the appropriate keys. In other ciphers, this may not always be possible, but it must always be considered. To attack and break a cipher, it is necessary to somehow confirm that the message we generate from ciphertext is the exact particular message which was sent.
Most of us have encountered a simple form of ciphering in grade school, and it usually goes something like this:
On a piece of lined paper, write the alphabet in order, one character per line:
A B C ...Then, on each line, we write another character to the right. In this second column, we also want to use each alphabetic character exactly once, but we want to place them in some different order.
A F B W C A ...
When we have done this, we can take any message and encipher it letter-by-letter.
To encipher a letter, we find that letter in the left column, then use the associated letter from the right column and write that down. Each letter in the right column thus becomes a substitute for the associated letter in the left column.
Deciphering is similar, except that we find the ciphertext letter in the right column, then use the associated plaintext letter from the left column. This is a little harder, because the letters in the right column are not in order. But if we wanted to, we could make a list where the ciphertext letters were in order; this would be the inverse of the enciphering transformation. And if we have both lists, enciphering and deciphering are both easy.
The grade school cipher is a simple substitution cipher, a streaming or repeated letter-by-letter application of the same transformation. That "transformation" is the particular arrangement of letters in the second column, a permutation of the alphabet. There can be many such arrangements. But in this case the key is that particular arrangement. We can copy it and give it to someone and then send secret messages to them. But if that sheet is acquired -- or even copied -- by someone else, the enciphered messages would be exposed. This means that we have to keep the transformation secret.
Now suppose we have a full notebook of lined pages, each of which contains a different arrangement in the second column. Suppose each page is numbered. Now we just pick a number and encipher our message using that particular page. That number thus becomes our key, which is now a sort of numeric shorthand for the full transformation. So even if the notebook is exposed, someone who wishes to expose our message must try about half of the transformations in the book before finding the right one. Since exposing the notebook does not immediately expose our messages, maybe we can leave the notebook unprotected. We also can use the same notebook for messages to different people, and each of them can use the exact same notebook for their own messages to each other. Different people can use the same notebook and yet still cipher messages which are difficult to expose without knowing the right key.
Note that there is some potential for confusion in first calling the transformation a key, and then calling the number which selects that transformation also a key. But both of these act to select a particular ciphertext construction from among many, and they are only two of the various kinds of "key" in cryptography.
The simple substitution used in our grade school cipher is very weak, because it "leaks" information: The more often a particular plaintext letter is used, the more often the associated ciphertext letter appears. And since language uses some letters more than others, simply by counting the number of times each ciphertext letter occurs we can make a good guess about which plaintext letter it represents. Then we can try our guess and see if it produces something we can understand. It usually does not take too long before we can break the cipher, even without having the key. In fact, we develop the ultimate key (the enciphering transformation) to break the cipher. This is a codebook attack.
Obviously, when we have few transformations from plaintext to ciphertext, each transformation will be used many times. And if the transformation is known or suspected on even one of those uses, every other use also will be exposed.
One way to reduce this problem is to increase the size of the cipher alphabet. Rather than considering our cipher alphabet to be just the 26 letters, each with a single keyable transformation to ciphertext, we could instead use pairs of those same letters, and have at least 26 x 26 = 676 transformations. This vast increase in keyable transformations makes the code harder to create and store, but also decreases the number of times each individual transformation might be used. We can continue expanding the alphabet by having triplets and quadruplets and so on. Rather quickly we will need a machine to do the operations for us.
A "real" conventional block cipher will have a far larger alphabet. For example, the usual 64-bit block cipher will encipher 8 plaintext characters at the same time, and a change in even one bit in one of those characters will affect all 64 bits of the resulting ciphertext, typically changing about half the values. This is still simple substitution, but with a huge alphabet. Instead of using 26 letters, a 64-bit block cipher views each of 264 different block values as a separate letter, which is something like 18,000,000,000,000,000,000 "letters."
There are various opportunities for increasing cipher strength:
No matter what we do, what we think is a strong cipher may not actually be a strong cipher. We are unlikely to know the practical strength of our cipher. In practice, strength is contextual and depends not only upon some unknown "absolute" strength, but also upon the knowledge and abilities of the attacker or opponent.
Unfortunately, we do not expect to know who the attackers may be, nor their capabilities, nor will they tell us of their successes. So, absent some sort of "proof of strength in practice" (which is generally not possible), there is no way to know whether a cipher is actually protecting the information we entrust to it.
Suppose we have 256 pages of transformations in the notebook; this means there are exactly 256 different keys we can select from. If we write the number 256 in binary we get "100000000"; here the leftmost "1" represents 1 count of 28, and we call this an "8 bit" number. Or we can compute the base 2 logarithm by first taking the natural log of 256 (about 5.545) and dividing that by the natural log of 2 (about 0.693); this result is also 8. So we say that having 256 key possibilities is an "8 bit" keyspace. If we choose one of the 256 key values at random, and use that transformation to encipher a message, someone wishing to break our cipher should have to try about 128 decipherings before happening upon the correct one. The effort involved in trying, on average, 128 decipherings (a brute force attack) before finding the right one, is the design strength of the cipher.
If our notebook had 65,536 pages or keys (instead of just 256), we would have a "16 bit" keyspace. Notice that this number of key possibilities is 256 times that of an "8 bit" keyspace, while the key itself has only 8 bits more than the "8 bit" cipher. The strength of the "16 bit" cipher is the effort involved in trying, on average, 32,768 decipherings before finding the right one.
The idea is the same as a modern cipher: We have a machine which can produce a huge number of different transformations between plaintext and ciphertext, and we select one of those transformations with a key value. Since there are many, many possible keys, it is difficult to expose a message, even though the machine itself is not secret. And many people can use the exact same machine for their own secrets, without revealing those secrets to everyone who has such a machine.
One of the consequences of having a digital electronic machine for ciphering,
is that it operates very, very fast. This means that someone can try a lot more
possibilities than they could with a notebook of paper pages. For example, a "40
bit" keyspace represents about 1012 keys, which sounds like a lot.
Unfortunately, special-purpose hardware could try this many decipherings in
under 5 seconds, which is not much strength. A "56 bit" keyspace represents
about
Under the theory that if a little is good, a lot is better, some people suggest using huge keys of 56,000 bits, or 1,000,000 bits, or even more. We can build such devices, and they can operate quickly. We can even afford the storage for big keys. What we do not have is a reason for such keys: a 128 bit key is "strong enough" to defeat even unimaginably extensive brute force attacks. While a designer might use a larger key for convenience, even immense keys cannot provide more strength than "strong enough." And while different attacks may show that the cipher actually has less strength, a huge keyspace is not going to solve those problems.
Some forms of cipher need relatively large key values simply to have a sufficiently large keyspace. Most number-theory based public key ciphers are in this class. Basically, these systems require key values in a very special form, so that most key values are unacceptable and unused. This means that the actual keyspace is much smaller than the size of the key would indicate. For this reason, public key systems need keys in the 1,000 bit range, while delivering strength perhaps comparable to 128 bit secret key ciphers.
Suppose we want to hide a name: We might think to innovate a different rule for each letter. We might say: "First we have 'T', but 't' is the 3rd letter in 'bottle' so we write '3.'" We can continue this way, and such a cipher could be very difficult to break. So why is this sort of thing not done? There are several reasons:
Modern ciphering is about constructions which attempt to solve these problems. A modern cipher has a large keyspace, which might well be controlled by a hashing computation on a language phrase we can remember. A modern cipher system can handle a wide range of message sizes, with exactly the same key, and normally provides a way to securely re-use keys. And the key can be much, much smaller than a long message.
Moreover, in a modern cipher, we expect the key to not be exposed, even if the opponent has both the plaintext and the associated ciphertext for many messages (a known-plaintext attack). In fact, we normally assume that the opponent knows the full construction of the cipher, and has lots of known plaintext, and still cannot find the key. Such designs are not trivial.
Sometimes a novice gives us 40 or 50 random-looking characters and says, "Bet you can't break this!" But that is not very realistic.
In actual use, we normally assume that a cipher will be widely distributed, and thus somewhat available. So we assume the opponent will somehow acquire either the cipher machine or its complete design. We also assume a cipher will be widely used, so a lot of ciphered material will be around somewhere. We assume the opponent will somehow acquire some amount of plaintext and the associated ciphertext (that is, known plaintext). And even in this situation, we still expect the cipher to hide the key and other messages.
A cipher designer should expect everything to be exposed -- the complete cipher design, ciphertext, unlimited associated plaintext, etc. -- except the actual message and key. All of the exposed information should be provided to anyone working on the problem.
Potentially, cryptography can hide information while it is in transit or storage. In general, cryptography can:
Cryptography hides words: At most, it can only hide talking about contraband or illegal actions. But in a country with "freedom of speech," we normally expect crimes to be more than just "talk."
Cryptography can kill in the sense that boots can kill; that is, as a part of some other process, but that does not make cryptography like a rifle or a tank. Cryptography is defensive, and can protect ordinary commerce and ordinary people. Cryptography may be to our private information as our home is to our private property, and our home is our "castle."
Potentially, cryptography can hide secrets, either from others, or during communication. There are many good and non-criminal reasons to have secrets: Certainly, those engaged in commercial research and development (R&D) have "secrets" they must keep. Business often needs secrecy from competitors while plans and laid and executed, and the need for secrecy often continues as long as there are business operations. Professors and writers may want to keep their work private, until an appropriate time. Negotiations for new jobs are generally secret, and romance often is as well, or at least we might prefer that detailed discussions not be exposed. And health information is often kept secret for good reason.
One possible application for cryptography is to secure on-line communications between work and home, perhaps leading to a society-wide reduction in driving, something we could all appreciate.
Cryptography can only hide information after it is encrypted and while it remains encrypted. But secret information generally does not start out encrypted, so there is normally an original period during which the secret is not protected. And secret information generally is not used in encrypted form, so it is again outside the cryptographic envelope every time the secret is used.
Secrets are often related to public information, and subsequent activities based on the secret can indicate what that secret is.
And while cryptography can hide words, it cannot hide:
And cryptography simply cannot protect against:
It is a joke to imagine that cryptography alone could protect most information against Government investigation. Cryptography is only a small part of the protection needed for "absolute" secrecy.
Usually, we arrange to select among a huge number of possible intermediate forms by using some sort of "pass phrase" or key. Normally, this is some moderately-long language phrase which we can remember, instead of something we have to write down (which someone else could then find).
Those who have one of the original keys can expose the information hidden in the message. This reduces the problem of protecting information to:
This is similar to locking our possessions in our house and keeping the keys in our pocket.
The physical key model reminds us of various things that can go wrong with keys:
Even a