## A Short Classic Cryptography Blog

Dec 21, 2015

A certain game reminded me of a cryptography trick that I learned years ago and haven't had the opportunity to share. First, let's talk substitution ciphers. I'll give two challenges, one with spaces and one without.

```GZKH YOQU TKP QY QB BKOB Q OATOPY KOWE BZ TXQBE O AZHF
QHBXZUSCBQZH TKEHEWEX QV BXPQHF BZ ENJAOQH YZVEBKQHF
YQVJAE COHB JEZJAE GSYB YBOXB XEOUQHF TKEXE VP VQHU
YBOXBY TXQBQHF
```
```PKCCAMSVCNSLADUYDUCLQUFDTCAFZSGDPFNTFSCCNXSTFKGDTXADUMM
SKLSMPODUCLXSFVKPFFZSJNMPFVKMKXMKVZXNISFZSMSPFDJFZSODMC
DUFJNMPFBDZT
```

The trick for the first one is to look at the list of possible two-letter words. Here is the top 101 words in order of occurrence in AI3.

```of
in
to
is
as
by
on
at
an
In
or
it
he
be
He
It
no
up
On
fr
As
es
so
St
if
At
do
An
US
By
No
UK
uk
To
TV
we
If
id
Dr
go
BC
Mr
Of
My
my
OF
Jr
We
me
Me
CD
us
Is
am
Co
So
Al
Up
DC
al
io
cm
Ed
FM
PC
Be
Do
hi
EP
Go
kg
FC
NY
yo
3D
AM
DJ
SS
LP
UN
co
Op
os
Sr
Ma
SR
EU
mg
CA
Or
Wu
IP
MA
Oz
Oh
Am
HD
un
kW
```

There are plenty of two letter words in both challenges, so it should be fairly straightforward how to solve those. Once you've tried values for the two letter words, see what substituting the rest of the characters does to other words. You might find obvious words. If you have a dictionary on your system, you can use grep to find a word automatically. If you have the AI3 wordlist, you automatically get the results in order of likeliness which improves the search many times. It also contains words that a normal dictionary doesn't have.

## AES Ciphertext Collisions Anomaly

April 8-10, 2015
keystream_dupe-0.6.tgz [sig]
keystream_dupe-0.5.tgz [sig]
keystream_dupe-0.4.tgz [sig]
keystream_dupe-0.3.tgz [sig]
keystream_dupe-0.2.tgz [sig]
keystream_dupe-0.1.tgz [sig]

In this very basic cryptography exercise, I have written a simple test of the quality of a cipher. For RC4 and stream ciphers, we can encrypt `\x00\x00\x00\x00` to get the first four bytes of the keystream. I do this for the first 1048576 keys (assuming big endian and 64-bit keys) with RC4. Then I find out how many random keys I have to try before I find the same first four keystream bytes. I do this 1024 times. The data shows that this is around 4 million keys.

For block ciphers like AES, we have to do it slightly differently, but the concept is the exact same. I encrypt "GET / HTTP/1.1\r\n" which happens to be 16 bytes, the exactly correct size to fit in a single block of AES plaintext. I store the first four bytes of the ciphertext for the first 1048576 keys (same assumption as above but 128-bit keys). Then I do the same with random keys and I compare the first four bytes of the ciphertext against the first four bytes of the 1048576 partial ciphertexts. I find out how many random keys I have to try before I find the same first four ciphertext bytes. I do this 1024 times. The data shows that this is around 3 million keys. As you can clearly see, this is far smaller than RC4 (which is known to be vulnerable to many attacks).

Update

To test whether the problem is in AES or RC4, I used my system's random number generator (Linux /dev/urandom) to generate random bytes of keystream and tested how many attempts it would take to collide 1024 times. It took on the order of 4 million. This proves that the issue is either in AES or in RC4 and my system's random number generator. Since my system's random number generator is as good a source of entropy as I have, I must conclude that there is no issue with RC4 and that there is an issue with AES.