22 16 ^V SYN 54 36 6 86 56 V 118 76 v 23 17 ^W ETB 55 37 7 87 57 W 119 77 w 24 18 ^X CAN 56 38 8 88 58 X 120 78 x 25 19 ^Y EM 57 39 9 89 59 Y 121 79 y 26 1a ^Z SUB 58 3a : 90 5a Z 122 7a z 27 1b ^[ ESC 59 3b ; 91 5b [ 123 7b { 28 1c ^\ FS 60 3c < 92 5c \ 124 7c | 29 1d ^] GS 61 3d = 93 5d ] 125 7d } 30 1e ^^ RS 62 3e > 94 5e ^ 126 7e 31 1f ^_ US 63 3f ? 95 5f _ 127 7f DEL Associative A dyadic operation in which two sequential operations on three arguments can first operate on either the first two or the last two arguments, producing the same result in either case: (a + b) + c = a + (b + c). Also see: commutative and distributive. Asymmetric Cipher A public key cipher. Attack General ways in which a cryptanalyst may try to "break" or penetrate the secrecy of a cipher. These are not algorithms; they are just approaches as a starting place for constructing specific algorithms. Classically, attacks were neither named nor classified; there was just: "here is a cipher, and here is the attack." And while this gradually developed into named attacks, there is no overall attack taxonomy. Currently, attacks are often classified by the information available to the attacker or constraints on the attack, and then by strategies which use the available information. Not only ciphers, but also cryptographic hash functions can be attacked, generally with very different strategies. Informational Constraints We are to attack a cipher which enciphers plaintext into ciphertext or deciphers the opposite way, under control of a key. The available information necessarily constrains our attack strategies.  Ciphertext Only: We have only ciphertext to work with. Sometimes the statistics of the ciphertext provide insight and can lead to a break.  Known Plaintext: We have some, or even an extremely large amount, of plaintext and the associated ciphertext.  Defined Plaintext: We can submit arbitrary messages to be ciphered and capture the resulting ciphertext. (Also Chosen Plaintext and Adaptive Chosen Plaintext.)  Defined Ciphertext: We can submit arbitrary messages to be deciphered and see the resulting plaintext. (Also Chosen Ciphertext and Adaptive Chosen Ciphertext.)  Chosen Key: We can specify a change in any particular key bit, or some other relationship between keys.  Timing: We can measure the duration of ciphering operations and use that to reveal the key or data.  Fault Analysis: We can induce random faults into the ciphering machinery, and use those to expose the key.  Man-in-the-Middle: We can subvert the routing capabilities of a computer network, and pose as the other side to each of the communicators. (Usually a key authentication attack on public key systems.) Attack Strategies The goal of an attack is to reveal some unknown plaintext, or the key (which will reveal the plaintext). An attack which succeeds with less effort than a brute-force search we call a break. An "academic" ("theoretical," "certificational") break may involve impractically large amounts of data or resources, yet still be called a "break" if the attack would be easier than brute force. (It is thus possible for a "broken" cipher to be much stronger than a cipher with a short key.) Sometimes the attack strategy is thought to be obvious, given a particular informational constraint, and is not further classified.  Brute Force (also Exhaustive Key Search): Try to decipher ciphertext under every possible key until readable messages are produced. (Also "brute force" any searchable-size part of a cipher.)  Codebook (the classic "codebreaking" approach): Collect a codebook of transformations between plaintext and ciphertext.  Differential Cryptanalysis: Find a statistical correlation between key values and cipher transformations (typically the Exclusive-OR of text pairs), then use sufficient defined plaintext to develop the key.  Linear Cryptanalysis: Find a linear approximation to the keyed S- boxes in a cipher, and use that to reveal the key.  Meet-in-the-Middle: Given a two-level multiple encryption, search for the keys by collecting every possible result for enciphering a known plaintext under the first cipher, and deciphering the known ciphertext under the second cipher; then find the match.  Key Schedule: Choose keys which produce known effects in different rounds.  Birthday (usually a hash attack): Use the birthday paradox, the idea that it is much easier to find two values which match than it is to find a match to some particular value.  Formal Coding (also Algebraic): From the cipher design, develop equations for the key in terms of known plaintext, then solve those equations.  Correlation: In a stream cipher, distinguish between data and confusion, or between different confusion streams, from a statistical imbalance in a combiner.  Dictionary: Form a list of the most-likely keys, then try those keys one-by-one (a way to improve brute force).  Replay: Record and save some ciphertext blocks or messages (especially if the content is known), then re-send those blocks when useful. Many attacks try to isolate unknown small components or aspects so they can be solved separately, a process known as divide and conquer. Also see: security. Augmented Repetitions When sampling with replacement, eventually we again find some object or value which has been found before. We call such an occurrence a "repetition." A value found exactly twice is a double, or "2-rep"; a value found three times is a triple or "3-rep," and so on. For a known population, the number of repetitions expected at each level has long been understood to be a binomial expression. But if we are sampling in an attempt to establish the effective size of an unknown population, we have two problems: 1. The binomial equations which predict expected repetitions do not reverse well to predict population, and 2. Exact repetitions discard information and so are less accurate than we would like. For example, if we have a double and then find another of that value, we now have a triple, and one less double. So if we are using doubles to predict population, the occurrence of a triple influences the predicted population in exactly the wrong direction. Fortunately, there is an unexpected and apparently previously unknown combinatoric relationship between the population and the number of combinations of occurrences of repeated values. This allows us to convert any number of triples and higher n-reps to the number of 2-reps which have the same probability. So if we have a double, and then get another of the same value, we have a triple, which we can convert into three 2-reps. The total number of 2-reps from all repetitions (the augmented 2-reps value) is then used to predict population. We can relate the number of samples s to the population N through the expected number of augmented doubles Ead: Ead(N,s) = s(s-1) / 2N . This equation is exact, provided we interpret all the exact n-reps in terms of 2-reps. For example, a triple is interpreted as three doubles; the augmentation from 3-reps to 2-reps is (3 C 2) or 3. The augmented result is the sum of the contributions from all higher repetition levels: n i ad = SUM ( ) r[i] . i=2 2 where ad is the number of augmented doubles, and r[i] is the exact repetition count at the i-th level. And this leads to an equation for predicting population: Nad(s,ad) = s(s-1) / 2 ad . This predicts the population Nad as based on a mean value of augmented doubles ad. Clearly, we expect the number of samples to be far larger than the number of augmented doubles, but an error in the augmented doubles ad should produce a proportionally similar error in the predicted population Nad. We typically develop ad to high precision by averaging the results of many large trials. However, since the trials should have approximately a simple Poisson distribution (which has only a single parameter), we could be a bit more clever and fit the results to the expected distribution, thus perhaps developing a bit more accuracy. Also see the article: Estimating Population from Repetitions in Accumulated Random Samples, and the Population Estimation Worksheets in JavaScript page of the Ciphers By Ritter / JavaScript computation pages. Authentication One of the objectives of cryptography: Assurance that a message has not been modified in transit or storage (message authentication or message integrity). Also key authentication for public keys. Also user or source identification, which may verify the right to send the message in the first place. Message Authentication One form of message authentication computes a CRC hash across the plaintext data, and appends the CRC remainder (or result) to the plaintext data: this adds a computed redundancy to an arbitrary message. The CRC result is then enciphered along with the data. When the message is deciphered, if a second CRC operation produces the same result, the message can be assumed unchanged. Note that a CRC is a fast, linear hash. Messages with particular CRC result values can be constructed rather easily. However, if the CRC is hidden behind strong ciphering, an Opponent is unlikely to be able to change the CRC value systematically or effectively. In particular, this means that the CRC value will need more protection than a simple exclusive-OR stream cipher or the exclusive-OR approach to handling short last blocks in a block cipher. A similar approach to message authentication uses a nonlinear cryptographic hash function. These also add a computed redundancy to the message, but generally require significantly more computation than a CRC. It is thought to be exceedingly difficult to construct messages with a particular cryptographic hash result, so the hash result perhaps need not be hidden by encryption. One form of cryptographic hash is DES CBC mode: using a key different than that used for encryption, the final block of ciphertext is the hash of the message. This obviously doubles the computation when both encryption and . (Also "brute force" any searchable-size part of a cipher.)  Codebook (the classic "codebreaking" approach): Collect a codebook of transformations between plaintext and ciphertext than a cipher with a short key.) Sometimes the attack strategy is thought to be obvious, given a particular informational constraint, and is not further classified.  Brute Force (also Exhaustive. Chosen Ciphertext and Adaptive Chosen Ciphertext.)  Chosen Key: We can specify a change in any particular key bit, or some other relationship between keys.  Timing: We can measure the duration