ว.ว ทย. มข. 45(2) (2560) KKU Sci. J. 45(2) (2017) บทค ดย อ ABSTRACT

Transcription

1 ว.ว ทย. มข. 45(2) (2560) KKU Sci. J. 45(2) (2017) การปร บปร งรห สล บฮ ลล โดยอาศ ยการเข ารห สล บเป นคาบสองช น และการแปรผ นความยาว A Modification of the Hill Cipher Based on Doubly Periodic Encryption and Length Variation Jirawat Jantarima 1 and Thotsaphon Thongjunthug 1* 1 Department of Mathematics, Faculty of Science, Khon Kaen University, Khon Kaen 40002, Thailand * Corresponding Author, thotho@kku.ac.th บทค ดย อ ในงานว จ ยน เราจะน าเสนอว ธ การปร บปร งรห สล บฮ ลล โดยอาศ ยการเข ารห สล บเป นคาบสองช น ซ งใช ก ญแจล บ 2 ชน ดท ม คาบแตกต างก นในการเข ารห สล บบล อกของข อความปกต แต ละบล อก และอาศ ยการแปรผ น ความยาว เพ อเปล ยนความยาวของข อความรห สล บให ยาวข นกว าเด ม ท าให ได ข อความรห สล บภาคขยายมากมาย หลายแบบ ซ งเป นอ ปสรรคต อการท บ คคลภายนอกจะหาขนาดของก ญแจล บได ส าเร จ จากการศ กษาพบว า รห ส ล บฮ ลล ท ปร บปร งใหม น นสามารถต อต านการโจมต รห สล บแบบทราบข อความต นฉบ บ การโจมต รห สล บแบบทราบ ข อความรห สล บเท าน น และการว เคราะห ความถ ได ด กว ารห สล บฮ ลล ท ปร บปร งโดย Adinarayana Reddy และ คณะ (2012) และใช เน อท ในการเก บก ญแจล บน อยกว าท รห สล บฮ ลล แบบด งเด มใช ABSTRACT In this research, we propose a modification of the Hill cipher using doubly periodic encryption, which requires two types of keys with different periodicity when encrypting each block of plaintext. Length variation is also used for extending the ciphertext so that there are several extended ciphertexts available, which prevent any third-party to determine the true length of secret keys successfully. Our study shows that our modified Hill cipher is more resistant to known-plaintext attack, ciphertext-only attack and frequency analysis, than the modified Hill cipher proposed by Adinarayana Reddy et al. (2012). Moreover, our modified Hill cipher requires less space for the secret keys than the classical Hill cipher.

2 งานว จ ย วารสารว ทยาศาสตร มข. ป ท 45 เล มท ค าส าค ญ: การเข ารห สล บ การถอดรห สล บ รห สล บฮ ลล การแปรผ นความยาว การเป นคาบสองช น Keywords: Encryption, Decryption, Hill cipher, Length variation, Double periodicity 1. INTRODUCTION The Hill cipher is a polygraphic cipher which was invented by Lester S. Hill (1929). Although the Hill cipher is strong against a ciphertext-only attack, it is easily broken with a known-plaintext attack (Stallings, 2011). Thus, several researches have been done to improve the security of the Hill cipher. Acharya et al. (2009) tried to make the Hill cipher more secure by using involutory, permuted and reiterative key matrix generation to generate different keys of data encryption, thereby significantly increases its resistance to various attacks. Toorani and Falahati (2009) also proposed a modification to the Hill cipher based on affine transform and one-way hash function. Moreover, Acharya et al. (2009) presented a novel technique which is a modified version of the Hill cipher algorithm for image encryption named Hill-Shift-XOR (H-S-X) which can be applied to any type of images. Adinarayana Reddy et al. (2012) tried to improve the Hill cipher using circulant matrices, which enhances its performance against known-plaintext attack and chosen-plaintext attack. Magamba et al. (2012) proposed a variable-length key matrix obtained from a maximum distance separable (MDS) master key matrix, which used a different key matrix and this renders the ciphertext immune to known-plaintext and ciphertext-only attacks. However, it is worth pointing out that the proposed algorithm relies on many matrix transformations and this slows down the algorithm. Krishna and Madhuravani (2012) claimed that, using randomized approach, the output of the Hill cipher is randomized to generate multiple ciphertexts for one plaintext. Any one ciphertext is then used for transmission of data. As randomization of ciphertext is made, it is relatively free from known-plaintext and chosenciphertext attacks at slightly more computational overhead. In this research, we will propose a modification of the Hill cipher which utilizes several techniques mentioned above. In particular, we will use doubly periodic encryption, i.e., an encryption technique based on two independent types of keys with different periodicity, and length variation for disguising the true length of ciphertext block. 2. RESEARCH METHODOLOGY 2.1 Overview In this research, we propose a modification of the Hill cipher which consists of the following four main parts:

3 420 KKU Science Journal Volume 45 Number 2 Research 1. Encryption (a) Choose positive integers, such that 1. (b) Let be an matrix such that is invertible modulo and all of its entries are incongruent modulo. Let be a matrix such that the following hold: 1. The number of rows and the number of columns of are greater than. 2. The top-left corner of is, i.e., for some matrices,,. The matrix will be used as one of the two public keys. (c) A sender and a recipient choose a matrix such that the following hold: 1.,,, are incongruent modulo ; 2. gcd, 1 for all 1,2,,; 3. gcd, 1. The matrix will be kept as one of the two secret keys. (d) The sender and the recipient choose a positive integer such that gcd, 1. The integer will be used as another secret key. (e) Calculate key mod. (f) Let be the plaintext and be the th block of plaintext. Each is viewed as an 1 matrix. (g) Use the matrix to generate matrices,,,, where is the number of all distinct matrices generated by (see Section 2.2 and Theorem 1). Note that all matrices are invertible modulo. (h) From the chosen, generate,,,, where is the number of all distinct matrices generated by (see Section 2.3 and Theorem 2). Note that. (i) For each block of plaintext, the associated block of ciphertext is calculated by T mod where and mod mod if, if, if, if.

4 งานว จ ย วารสารว ทยาศาสตร มข. ป ท 45 เล มท (j) All blocks is then combined to form the ciphertext. 2. Extending the ciphertext After encryption, we find a method to extend the length of ciphertext so that we obtain an extended ciphertext ext whose length is at most two times of the length of (see Section 2.4). 3. Reducing an extended ciphertext After receiving an extended ciphertext ext, we find a method to reduce the length of extended ciphertext into the original ciphertext (see Section 2.5). The ciphertext is then split as a number of blocks, each of which is viewed as an 1 matrix. 4. Decryption (a) Calculate mod. (b) For each block of ciphertext, the associated block of plaintext is calculated by T mod. In addition, cryptanalysis of our modified Hill cipher will be conducted in terms of frequency analysis, ciphertext-only attack, and known-plaintext attack. 2.2 Generating matrices Our procedure for generating the keys from a given matrix consists of the following steps: 1. Set 1, 2, 1, 2, and Let. 3. Repeat the following: (a) While, repeat the following: i. Let be the matrix obtained by swapping the th column and the th column of. ii. Increase by 1. iii. Increase by 1. iv. If, then we set 1; otherwise, increase by 1. (b) If, then this process terminates. (c) Let be the matrix obtained by switching the th row and the th of. (d) Increase by 1. (e) Increase by 1. (f) If, then we set 1; otherwise, we increase by 1.

5 422 KKU Science Journal Volume 45 Number 2 Research (g) Reset 1 and 2. (h) Repeat step 3. This procedure can be summarized as the flowchart shown in Figure 1. It should be noted that our procedure only switches rows and columns of, and so det det. Hence, all matrices are invertible modulo if and only if is invertible modulo. 2.3 Generating matrices Our procedure for generating the keys from a given initial matrix consists of the following steps: 1. Let. 2. Set 2 and Let be the row obtained by swapping the th column and the 1th column of. For example, if, then. 4. If, then our generating procedure terminates; otherwise, we define. 5. Increase by If 1, then we reset 1; otherwise, we increase by Back to step 3. This procedure can be summarized as the flowchart shown in Figure 2.

6 งานว จ ย วารสารว ทยาศาสตร มข. ป ท 45 เล มท Start (Left) (Right) (Up) (Down) Let be the matrix obtained by swapping the th column and the th column of. 1 1? No Yes 1 1 Let be the matrix obtained by switching the th row and the th row of. Yes? No Yes Stop Yes? No? 1 2 No 1 Figure 1 The procedure for generating matrices from a given matrix

7 424 KKU Science Journal Volume 45 Number 2 Research Start d 1 2 Let be the row obtained by swapping the th column and the 1th column of. Stop Yes? No 1 1? Yes 1 No 1 Figure 2 The procedure for generating from a given matrix

8 งานว จ ย วารสารว ทยาศาสตร มข. ป ท 45 เล มท Extending the Ciphertext The length of ciphertext can be extended using the following steps: 1. The sender chooses a positive integer and defines the set of addenda,,, where mod for all 1,2,,. The integer (with ) is used as another public key. 2. For each pair 1 of entries in the ciphertext, consider the following cases: Case 1. If the pair matches any two addenda, then we insert a different addendum at the end of each entry in the pair. Case 2. If exactly one entry in the pair matches an addendum, then we insert a different addendum at the end of the addendum found in the pair, and insert an addendum next to the non-addendum entry in the pair. Case 3. If the pair does not match any addendum, then insertion is not required. But if we choose to do insertion, then an addendum is inserted next to each entry in the pair. 3. Multiply each entry obtained from step 2 by. One can see easily that, given the ciphertext, this method can yield different extended ciphertexts, each of which has length up to two times of the length of the ciphertext. Therefore, the true ciphertext and the length of each ciphertext block are completely disguised. Moreover, since each entry in the extended ciphertext is multiplied by, the set of addenda is also disguised. 2.5 Reducing the extended ciphertext This method consists of the following steps: 1. Multiply each entry of the extended ciphertext by, the inverse of modulo. 2. Considers one pair of entries in the extended ciphertext at a time. Each pair then contributes up to two entries to the ciphertext, depending on the following cases: Case 1. If the pair matches any two addendum, then we discard the last entry in the pair and the rest is contributed to the ciphertext. Case 2. If only one addendum is found in the pair, then only the nonaddendum entry is contributed to the ciphertext. 1 If the length of the ciphertext is odd, then the last entry is considered as a pair.

9 426 KKU Science Journal Volume 45 Number 2 Research Case 3. If the pair does not match any addendum, then the whole pair is contributed to the ciphertext. 3. RESULTS Theorem 1. There are 1 matrices which are generated by (of dimension ), all of which are distinct modulo. Proof. Recall that mod. Since all entries of are distinct modulo and gcd, 1, it follows that all entries of are also distinct modulo. Moreover, since is invertible modulo, it follows that mod exists, i.e., is also invertible modulo. We define the initial matrix. Consider switching columns by the procedure mentioned in Section 2.2, we obtain the following: Initial matrix:. Switching the columns 1 and 2:. Switching the columns 2 and 3:. Continue switching columns in this fashion. Then we obtain the following: Switching the columns 1 and :. Switching the columns and 1:. Therefore, we obtain,,,, which are all distinct modulo, in the first round. Consider switching in the second round. In that round, we obtain the following: Switching the rows 1 and 2 of the initial matrix :.

10 งานว จ ย วารสารว ทยาศาสตร มข. ป ท 45 เล มท Switching columns 1 and 2:. Switching columns 2 and 3:. Continue switching columns in this fashion. Then we obtain the following: Switching columns 1 and :. Switching the columns and 1:. Therefore, switching in the second round yields 1 matrices which are distinct modulo. Repeat this process until we reach the 1th round. In that round, we obtain the following: Switching the rows and 1 of the initial matrix :. Switching columns 1 and 2:. Switching columns 2 and 3:. Continue switching columns in this fashion. Then we obtain the following: Switching the columns and 1:. Therefore, switching in the 1th round yields 1 matrices which are distinct modulo. It is easy to see that swapping rows causes all matrices in different rounds to be different. Moreover, in the same round, it is clear that all 1 matrices are different. Hence, there are altogether 11 1 matrices generated by.

11 428 KKU Science Journal Volume 45 Number 2 Research Example 1. Let Then we have the following matrices:. One can see that all entries of are distinct modulo Theorem 2. There are 1 matrices which are generated by (of dimension 1), all of which are distinct modulo. Proof. We define the first row matrix. In the first round, by applying the procedure mentioned in Section 2.3, we obtain. Since all entries of are distinct modulo, it is clear that,,, are distinct modulo. Therefore, we obtain 1 distinct rows in the first round. Consider switching in the second round. We obtain. Observe that,,, are distinct, for the location of in each varies. Therefore, we obtain 1 distinct rows in the second round. Continue this procedure until we reach the 1th round. In that round, we obtain

12 งานว จ ย วารสารว ทยาศาสตร มข. ป ท 45 เล มท Observe that,,, are distinct, for the location of in each varies. Therefore, we obtain 1 distinct rows in the 1th round. Consider switching in the th round. We obtain. Observe that,,, are distinct, for the location of in each varies. Therefore, we obtain 1 distinct rows in the th round. Clearly all matrices generated by different rounds are completely distinct. Therefore, switching for rounds yields 11 1 distinct matrices. Example 2. Let Note that all entries of are distinct modulo 11. When switching column with steps as mentioned in Section 2.3, we obtain the following: Row 1: Row 2: Row 3: Row 4: Row 5: Row 6: We can see that swapping elements of again yields, so this process terminates. As there are 1 different matrices generated by and there are 1 different row matrices generated by, this provides double periodicity for encryption. In particular, our encryption will use the same pair of the keys, after a certain number of blocks of plaintext. To find such number, the next lemma is required. Lemma 1. For all positive integers 1, we have if is even, lcm1 2, if 3 mod 4, if 1 mod 4. Proof. Let gcd1,. Then we have 1, and so 1. It then follows that gcd1, 1.

13 430 KKU Science Journal Volume 45 Number 2 Research Moreover, by the Euclidean algorithm, one can see that gcd1, 1 gcd 1, 4. Now consider the following cases: 1. If is odd, then 1 is even. (a) If 4 1 (i.e., 1 mod 4), then we obtain gcd1,4 4. (b) If 4 1 (i.e., 1 mod 4), then we have 3 mod 4 because is odd. Since 2 1, we obtain gcd1, If is even, then 1 is odd. Thus, gcd1,4 1. In conclusion, we have 1 if is even, gcd1,1 2 if 3 mod 4, 4 if 1 mod 4. The lemma then follows from the fact that 1 1 gcd1,1 lcm1,1. Theorem 3. Let be the smallest number of -blocks of plaintext required so that the same pair of the keys, can be used. Then if is even, if 3 mod 4, if 1 mod 4. Proof. The theorem follows directly from Lemma 1 and the pigeonhole principle. Theorem 4. Let,,, be the set of addenda as defined in Section 2.4. Then,,, are incongruent modulo. Proof. Assume, to the contrary, that mod for some, 1,2,, with. Then we have mod. Since gcd, 1, this implies that mod. But 1,, this implies that, a contradiction. The next example illustrates how encryption and decryption is done using our modified cipher.

14 งานว จ ย วารสารว ทยาศาสตร มข. ป ท 45 เล มท Example 3. Choose 39, 4 and 9. Let be one of the public key. One can verify that every square submatrices at the top-left corner of is invertible modulo 39, so any one of them can be used as the key. Here, as 4, we let Let be one of the two secret keys. Then we let mod Consider the plaintext As mentioned earlier, our procedures can generate different matrices and different matrices. Here, since there are only 4 blocks of plaintext (each of length 4), we only need,, and,, for encryption. Encrypting each block of plaintext, we obtain T T mod T T mod T T mod T T mod Therefore, the ciphertext is

15 432 KKU Science Journal Volume 45 Number 2 Research Define the set of addenda,,, where mod. We have mod mod mod mod mod mod mod mod mod 39. Therefore, we have 23, 7, 30, 14, 37, 21, 5, 28, 12. Extending the ciphertext using the set, first we obtain as one of possible results after insertion. Suppose that 7 is chosen as another secret key. Then the extended ciphertext is ext mod 39, which is sent to the recipient. For the recipient, in order to decrypt the message, the extended ciphertext needs to be reduced first. Multiplying ext by 28, we obtain ext mod 39. After eliminating all addenda, we finally have rdc , i.e., the true ciphertext is obtained. Decrypting each block of ciphertext, we have T T mod T T mod T T mod

16 งานว จ ย วารสารว ทยาศาสตร มข. ป ท 45 เล มท T T mod Therefore, we again obtain the plaintext DISCUSSION In this section, we will discuss some benefits provided by our modified Hill cipher towards certain cryptological aspects. 4.1 Frequency analysis By calculating the frequency of each digit in the plaintext, ciphertext and the extended ciphertext ext illustrated in Example 3, we find that our modified Hill cipher can manipulate all digits so that the frequency of each digit in the plaintext, ciphertext and extended ciphertext cannot be mutually compared (see Figure 3). Hence, our modified Hill cipher is resistant to frequency analysis attack similarly to the original Hill cipher. Figure 3 Frequency analysis of digits in (blue), (red), (magenta) and ext (green)

17 434 KKU Science Journal Volume 45 Number 2 Research 4.2 Determining the length of plaintext block Although the square matrix used to generate the initial key is a submatrix of the public key, we can choose so that there can be several possibilities for such, as illustrated in Example 3. This therefore prevents an opponent from knowing the exact value of (the dimension of, the length of, the length of plaintext block and the length of ciphertext block), and so finding the initial matrices and by brute force is impossible. Even if the entire extended ciphertext is intercepted, its length still depends on the choice of extended ciphertext made by the sender. Hence, the dimension cannot be determined immediately as a factor of the length of extended ciphertext unless the extended ciphertext is correctly reduced. 4.3 Determining the ciphertext In order to obtain the correct ciphertext, the set of addenda must be correctly determined first. As (the size of ) is known publicly, the opponent may carry frequency analysis to determine all most frequently seen digits in the extended ciphertext (see Figure 4). Nevertheless, to obtain all correct addenda, the secret key is required. Note that gcd, 1, so there are (the Euler s phi function of ) possible values which can be chosen as. Moreover, since the secret key is unknown to the opponent, generating the set directly from is impossible. Figure 4 Frequency analysis of digits in the extended ciphertext ext

18 งานว จ ย วารสารว ทยาศาสตร มข. ป ท 45 เล มท Determining and If somehow the opponent can determine, and the set of addenda successfully, then the extended ciphertext can be reduced to the ciphertext and there might be an attempt to determine the secret key, which in turn would yield the key. However, successful determination of will only yield the sum, and there are matrices resulting in this sum. Thus, the secret key cannot be determined exactly. Furthermore, since but is unknown to the opponent, the key also cannot be determined exactly. 4.5 Ciphertext-only attack Ciphertext-only attack is an attack where the opponent knows only the encryption algorithm and the ciphertext, and so it is the easiest attack to defend against (Stallings, 2011). Suppose that the opponent can successfully reduce the extended ciphertext to the ciphertext. If the opponent attempts to attack using only the knowledge of a ciphertext block, say,, then from the encryption algorithm, we have T T mod. (1) Since the opponent cannot determine successfully and the plaintext block (of length ) is unknown, this yields a system of linear congruences with 2 variables (provided that is regarded as a variable). Such system cannot have a unique solution; thus, the opponent cannot obtain the plaintext in this way. Alternatively, the opponent may ease the attack by using the fact that some blocks of plaintext are encrypted using the same pair of the keys,. By Theorem 3, this situation can occur only when at least 1, 1, or 11 1 blocks of ciphertext are intercepted, depending on. In contrast, the modified Hill cipher proposed by Adinarayana Reddy et al. (2012), which uses the encryption algorithm T mod where is a common key used by every plaintext block and is of length, will be compromised when only blocks of ciphertext are intercepted. Hence, our modified Hill cipher provides higher security against ciphertext-only attack than the one of Adinarayana Reddy et al. (2012).

19 436 KKU Science Journal Volume 45 Number 2 Research 4.6 Known-plaintext attack Known-plaintext attack is an attack where the opponent knows encryption algorithm, ciphertext, and one or more plaintext-ciphertext pairs formed with the secret key (Stallings, 2011). Suppose that the opponent can successfully reduce the extended ciphertext to the ciphertext. If the opponent attempts to attack using the knowledge of a plaintext-ciphertext pair, say,,, then from the encryption algorithm (1), we will obtain a system of linear congruences with 1 variables (provided that is regarded as a variable). Again, such system cannot have a unique solution; thus, the opponent still cannot obtain the plaintext. Similarly to the case of ciphertext-only attack, if the opponent attempts to ease the attack using the same pair of the keys,, then our modified Hill cipher is more resistant to this attack than the one of Adinarayana Reddy et al. (2012), for ours will take considerably larger period for the same pair of the keys, to be re-used. 4.7 The size of secret keys Suppose that each block of plaintext has length. The classical Hill cipher uses an matrix as the secret key, and so there are integers for the secret key. On the other hand, the modified Hill cipher proposed by Adinarayana Reddy et al. (2012) only requires integers for the secret key. Although our modified Hill cipher requires 1 integers for the secret keys (which is slightly less economical than the one of Adinarayana Reddy et al. (2012)), it can provide additional securities in several aspects, as mentioned earlier. 5. CONCLUSIONS In this research, we propose a new modification of the Hill cipher using doubly periodic encryption and length variation. Our modified cipher uses the matrix and the positive integer as the public keys, and uses the matrix and the positive integer as the secret keys. Thus, our modified cipher only requires 1 integers for the secret key; this is more economical than the classical Hill cipher, but is slightly less economical than the modified Hill cipher proposed by Adinarayana Reddy et al. (2012). Combination of the secret key and the public key provides two initial keys and, both of which are then used to generate different keys and for each round of encryption. Our procedures ensure that both types of keys have different periodicity, which leads to larger period for the same pair of the keys, to be re-used in encryption, and in turn minimizes the risk of ciphertext-only and known-plaintext attacks.

20 งานว จ ย วารสารว ทยาศาสตร มข. ป ท 45 เล มท In addition, our modified Hill cipher introduces a method to extend the ciphertext so that there can be many possible extended ciphertexts obtained from the same ciphertext, whereas reducing any one of those extended ciphertexts always yields the same ciphertext. This procedure can disguise the length, and so determination of the secret keys by brute force is thwarted. It also results in variation of the frequency of each digit, which prevents the opponent from frequency analysis attack. 6. ACKNOWLEDGEMENTS The authors are grateful to Department of Mathematics, Faculty of Science, Khon Kaen University, for supporting facilities towards this research. 7. REFERENCES Acharya, B., Patra, S.K. and Panda, G. (2009). Involutory permuted and reiterative key matrix generation methods for Hill cipher system. International Journal of Recent Trends in Engineering 1(4): Acharya, B., Shukla, S.K., Panigrahy, S.K., Patra, S.K. and Panda, G. (2009). H-S-X cryptosystem and its application to image encryption. In: Proceedings of the 2009 International Conference on Advances in Computing, Control and Telecommunication Technologies (ACT 2009), December 2009, Trivandrum, Kerala, India. Guerrero, J.E. (ed.). IEEE Computer Society, Los Alamitos Adinarayana Reddy, K., Vishnuvardhan, B., Madhuviswanatham, V. and Krishna, A.V.N. (2012). A modified Hill cipher based on circulant matrices. Procedia Technology 4: Hill, L.S. (1929). Cryptography in an algebraic alphabet. The American Mathematical Monthly 36(6): Krishna, A.V.N. and Madhuravani, K. (2012). A modified Hill cipher using randomized approach. International Journal of Computer Network and Information Security 4(5): Magamba, K., Kadaleka, S. and Kasambara, A. (2012). Variable-length Hill cipher with MDS key matrix. International Journal of Computer Applications 57(13): Stallings, W. (2011). Cryptography and Network Security: Principles and Practice. (5th ed.). Upper Saddle River: Pearson Education. pp Toorani, M. and Falahati, A. (2009). A secure variant of the Hill cipher. In: Proceedings of the 14th IEEE Symposium on Computers and Communications (ISCC 2009), 5-9 July 2009, Sousse, Tunisia. Elmaghraby, A. (ed.). IEEE Computer Society, Los Alamitos