Deconstructing Columnar Transposition Ciphers

DECONSTRUCTING COLUMNAR TRANSPOSITION CIPHERS Robert Talbert, PhD Associate Professor of Mathematics and Computing Science Franklin College, Franklin, IN Ball State University Mathematics Faculty Colloquium 2 April 2009

How encryption/decryption works

How encryption/decryption works Message (plaintext)

How encryption/decryption works Message (plaintext) Key

How encryption/decryption works Message (plaintext) Encrypted message (ciphertext) Key

How encryption/decryption works Message (plaintext) Encrypted message (ciphertext) Key Key

How encryption/decryption works Message (plaintext) Message (plaintext) Encrypted message (ciphertext) Key Key

How encryption/decryption works Message (plaintext) Message (plaintext) Encrypted message (ciphertext) Key Key Alice and Bob share the same key

How encryption/decryption works Message (plaintext) Message (plaintext) Encrypted message (ciphertext) Key Key Alice and Bob share the same key Should be easy to decrypt with the key

How encryption/decryption works Message (plaintext) Message (plaintext) Encrypted message (ciphertext) Key Key Alice and Bob share the same key Should be easy to decrypt with the key Should be very difﬁcult to decrypt without the key

CLASSICAL CIPHER SYSTEMS SUBSTITUTION TRANSPOSITION

CLASSICAL CIPHER SYSTEMS SUBSTITUTION TRANSPOSITION Replace plaintext symbols by other symbols.

CLASSICAL CIPHER SYSTEMS SUBSTITUTION TRANSPOSITION Rearrange plaintext Replace plaintext symbols according to a well- by other symbols. deﬁned rule.

Columnar transposition cipher

Columnar transposition cipher : Agree upon a positive integer, C

Columnar transposition cipher : Agree upon a positive integer, C C ••• ••• ••• ••• ••• ••• ••• • • • •••

Columnar transposition cipher : Agree upon a positive integer, C C Enter plaintext into the grid one row at a time; ••• wrap to ﬁrst column. ••• ••• ••• ••• ••• ••• • • • •••

Columnar transposition cipher : Agree upon a positive integer, C C Enter plaintext into the grid one row at a time; ••• wrap to first column. ••• Read text off starting in top-left position and going down first ••• column; wrap to first row. ••• ••• ••• ••• • • • •••

Columnar transposition cipher : Agree upon a positive integer, C C Enter plaintext into the grid one row at a time; ••• wrap to first column. ••• Read text off starting in top-left position and going down first ••• column; wrap to first row. ••• ••• ••• ••• • • Enter ciphertext into the • grid one column at a time; ••• wrap to first row & read off.

THE ENEMY ADVANCES AT DAWN (USING C=5)

THE ENEMY ADVANCES AT DAWN (USING C=5) T H E E N E M Y A D V A N C E S A T D A W N

THE ENEMY ADVANCES AT DAWN (USING C=5) T H E E N E M Y A D V A N C E S A T D A W N TEVSWHMAANEYNTEACDNDEA

Double encryption = Double security? Multiple encryption using CTC with C = 4:

Double encryption = Double security? Multiple encryption using CTC with C = 4: CRYPTOGRAPHY

Double encryption = Double security? Multiple encryption using CTC with C = 4: CRYPTOGRAPHY CTAROPYGHPRY

Double encryption = Double security? Multiple encryption using CTC with C = 4: CRYPTOGRAPHY CTAROPYGHPRY COHTPPAYRRGY

Double encryption = Double security? Multiple encryption using CTC with C = 4: CRYPTOGRAPHY CTAROPYGHPRY COHTPPAYRRGY CPROPRHAGTYY

Double encryption = Double security? Multiple encryption using CTC with C = 4: CRYPTOGRAPHY CTAROPYGHPRY COHTPPAYRRGY CPROPRHAGTYY CPGPRTRHYOAY

Double encryption = Double security? Multiple encryption using CTC with C = 4: CRYPTOGRAPHY CTAROPYGHPRY COHTPPAYRRGY CPROPRHAGTYY CPGPRTRHYOAY CRYPTOGRAPHY

Double encryption = Double security? Multiple encryption using CTC with C = 4: CRYPTOGRAPHY CTAROPYGHPRY COHTPPAYRRGY Columnar transposition on 12 characters using 4 columns has order = 5. CPROPRHAGTYY CPGPRTRHYOAY CRYPTOGRAPHY

AGENDA FOR TALK

AGENDA FOR TALK • Address: What is the order of a columnar transposition cipher? • Explicit formula for underlying permutation • Specialize to C = 2, the “rail fence cipher” • Analyze cycle structure when C = 2 • Determine order when C = 2 • Unanswered questions

A FORMULA FOR THE COLUMNAR TRANSPOSITION CIPHER PERMUTATION

π C, L = Permutation implementing C.T.C. C = Number of columns being used L = Length of plaintext (= length of ciphertext) (an element of SL )

π C, L = Permutation implementing C.T.C. C = Number of columns being used L = Length of plaintext (= length of ciphertext) (an element of SL ) C A1 R π 3,9 : CARDINALS CDA2A1ILRNS D I N A2 L S

π C, L = Permutation implementing C.T.C. C = Number of columns being used L = Length of plaintext (= length of ciphertext) (an element of SL ) C A1 R π 3,9 : CARDINALS CDA2A1ILRNS D I N A2 L S 0 1 2 012345678 036147258 3 4 5 6 7 8

π C, L = Permutation implementing C.T.C. C = Number of columns being used L = Length of plaintext (= length of ciphertext) (an element of SL ) C A1 R π 3,9 : CARDINALS CDA2A1ILRNS D I N A2 L S 0 1 2 012345678 036147258 3 4 5 6 7 8 π 3,9 = (1 3)(2 6)(5 7)

π 4,13 : t0 t1 t2 t3 t4 t5 t6 t7 t 0t 4 t 8t12t1t 5t 9t 2t 6t10t 3t 7t11 t8 t9 t10 t11 t12 π 4,13 = (1, 4)(2, 7, 11, 12, 3, 10, 9, 6, 8) 0 is ﬁxed (always); 5 is ﬁxed Where does the character in position n end up?

C ••• ••• n ••• ••• ••• ••• ••• • • • ••• π C, L (n) = (# of preceding rows) + (# of positions in preceding columns) A B

THE ENEMY ADVANCES AT DAWN (USING C=5) T H E E N E M Y A D V A N C E S A T D A W N TEVSWHMAANEYNTEACDNDEA

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 π 5,22 (2) = 10 (# char's in preceding columns) π 5,22 (5) = 1 (# of preceding rows) π 5,22 (11) = 7 (5 in prec column + 2 prec rows) π 5,22 (13) = 10 + 4 + 2 = 16

} ••• q A ••• n ••• ••• ••• ••• ••• • • • ••• n’ = n mod C n = Cq + n′ n − n′ q= C

C ••• B ••• n L/C, round up ••• ••• ••• ••• ••• • • • a ••• If a column preceding n’s column is not full, ﬁll it with a “dummy”. # characters in any \"full\" column: # dummies: L   C 0 if L ′ = 0, or if L ′ ≠ 0 and 0 ≤ n′ ≤ L ′ # full columns: C, or L’ n′ − L ′ if L ′ ≠ 0 and n′ > L ′

Theorem 1 Let C be the number of columns used in a CTC and let L be the length of the message. Also let n be one of the character position indices (0 ≤ n < L) and let n’ = n mod C and L’ = L mod C. Then:  n − n′   L   + n′     if L ′ = 0, or if L ′ ≠ 0 and 0 ≤ n′ ≤ L ′ C   C   π C, L (n) =   n − n ′ + n ′   L   − (n ′ − L ′ ) if L ′ ≠ 0 and n′ > L ′   C  C    

π5,12 01234 56789 10 11

π5,12 1−1  12  π 5,12 (1) = + 1⋅   = 3 5 5 01234 3− 3   12  π 5,12 (3) = + 3    − (3 − 2) = 0 + 3(3) − 1 = 8 5   5  56789 8−3   12  π 5,12 (8) = + 3    − (3 − 2) = 1 + 8 = 9 5   5  10 11

π5,12 1−1  12  π 5,12 (1) = + 1⋅   = 3 5 5 01234 3− 3   12  π 5,12 (3) = + 3    − (3 − 2) = 0 + 3(3) − 1 = 8 5   5  56789 8−3   12  π 5,12 (8) = + 3    − (3 − 2) = 1 + 8 = 9 5   5  10 11 7−2   12  π 5,12 (7) = + 2 ⋅    = 1 + 2(3) = 7 5   5 

π5,12 1−1  12  π 5,12 (1) = + 1⋅   = 3 5 5 01234 3− 3   12  π 5,12 (3) = + 3    − (3 − 2) = 0 + 3(3) − 1 = 8 5   5  56789 8−3   12  π 5,12 (8) = + 3    − (3 − 2) = 1 + 8 = 9 5   5  10 11 7−2   12  π 5,12 (7) = + 2 ⋅    = 1 + 2(3) = 7 5   5  π 5,12 = (1, 3, 8, 9,11, 5)

THE RAIL FENCE CIPHER

C Y T G A H R P O R P Y

C Y T G A H R P O R P Y CYTGAHRPORPY

C Y T G A H R P O R P Y CYTGAHRPORPY Rail fence cipher = π 2, L

C Y T G A H R P O R P Y CYTGAHRPORPY Rail fence cipher = π 2, L C R Y P T O CYTGAHRPORPY G R A P H Y

 n − n′   L   + n′     if L ′ = 0, or if L ′ ≠ 0 and 0 ≤ n′ ≤ L ′ C   C   π C, L (n) =   n − n ′ + n ′   L   − (n ′ − L ′ ) if L ′ ≠ 0 and n′ > L ′   C  C    

 n − n′   L   + n′     if L ′ = 0, or if L ′ ≠ 0 and 0 ≤ n′ ≤ L ′ C   C   π C, L (n) =   n − n ′ + n ′   L   − (n ′ − L ′ ) if L ′ ≠ 0 and n′ > L ′   C  C     n’ = 0 (n even) or 1 (n odd)

 n − n′   L   + n′     if L ′ = 0, or if L ′ ≠ 0 and 0 ≤ n′ ≤ L ′ C   C   π C, L (n) =   n − n ′ + n ′   L   − (n ′ − L ′ ) if L ′ ≠ 0 and n′ > L ′   C  C     n’ = 0 (n even) or 1 (n odd)  n n even  2  π 2, L (n) =   n − 1 +  L  n odd 2 2  

 n − n′   L   + n′     if L ′ = 0, or if L ′ ≠ 0 and 0 ≤ n′ ≤ L ′ C   C   π C, L (n) =   n − n ′ + n ′   L   − (n ′ − L ′ ) if L ′ ≠ 0 and n′ > L ′   C  C     n’ = 0 (n even) or 1 (n odd) L  n L even  2 n even  = 2   L + 1 L odd π 2, L (n) =  2  n − 1 +  L  n odd  2 2  

Corollary 2 Let L be the length of a message enciphered with the rail fence cipher. Also let n be one of the character position indices (0 ≤ n < L). Then:  n n even  2   n+L π 2, L (n) =  n odd, L odd 2   n + L −1 n odd, L even  2 

What character positions are ﬁxed by the RFC? C R Y P T O CYTGAHRPORPY G R A P H Y

What character positions are fixed by the RFC? C R Y P T O CYTGAHRPORPY G R A P H Y Corollary 3 The first character in the message is always fixed by the RFC. The last character is fixed if and only if L is even. There are no other fixed points.

π 2, L (n) = n

π 2, L (n) = n L odd: L even:

π 2, L (n) = n L odd: L even: n even: n odd:

π 2, L (n) = n L odd: L even: n even: n odd: n =n⇔n=0 2

π 2, L (n) = n L odd: L even: n even: n odd: n n + L −1 =n⇔n=0 =n 2 2 n = L −1

π 2, L (n) = n L odd: L even: n odd: n even: n odd: n n + L −1 =n⇔n=0 =n 2 2 n = L −1

π 2, L (n) = n L odd: L even: n odd: n even: n odd: n n+L n + L −1 =n⇔n=0 =n =n 2 2 2 n=L ⊗ n = L −1 (0 ≤ n < L)

π 2, L (n) = n L odd: L even: n odd: n even: n odd: n n+L n + L −1 =n⇔n=0 =n =n 2 2 2 n=L ⊗ n = L −1 (0 ≤ n < L) Corollary 4 If L is even, then π2,L = π2,L+1. So we may assume for what follows that L is odd.

THE INITIAL CYCLE AND THE STRUCTURE OF THE RAIL FENCE CIPHER

How does π2,L factor into a product of disjoint cycles?

How does π2,L factor into a product of disjoint cycles? 0th position always ﬁxed; position 1 is ﬁrst one that moves.

How does π2,L factor into a product of disjoint cycles? 0th position always ﬁxed; position 1 is ﬁrst one that moves. Cycle containing 1 = initial cycle

How does π2,L factor into a product of disjoint cycles? 0th position always ﬁxed; position 1 is ﬁrst one that moves. Cycle containing 1 = initial cycle Initial cycle of π2,11: (1, 6, 3, 7, 9, 10, 5, 8, 4, 2)

How does π2,L factor into a product of disjoint cycles? 0th position always ﬁxed; position 1 is ﬁrst one that moves. Cycle containing 1 = initial cycle Initial cycle of π2,11: (1, 6, 3, 7, 9, 10, 5, 8, 4, 2) Initial cycle of π2,33: (1, 17, 25, 29, 31, 32, 16, 8, 4, 2)

How does π2,L factor into a product of disjoint cycles? 0th position always ﬁxed; position 1 is ﬁrst one that moves. Cycle containing 1 = initial cycle Initial cycle of π2,11: (1, 6, 3, 7, 9, 10, 5, 8, 4, 2) Initial cycle of π2,33: (1, 17, 25, 29, 31, 32, 16, 8, 4, 2) Theorem 5 the initial cycle of π2,L is k-1, then If L = 2 k −1 k−2 (1, 2 ,2 ,K , 8, 4, 2)

Initial cycle of π2,11: (1, 6, 3, 7, 9, 10, 5, 8, 4, 2)

Initial cycle of π2,11: (1, 6, 3, 7, 9, 10, 5, 8, 4, 2) 6 5 4 2 mod11 2 mod11 2 mod11

Initial cycle of π2,11: (1, 6, 3, 7, 9, 10, 5, 8, 4, 2) 6 5 4 2 mod11 2 mod11 2 mod11 Theorem 6 Let l1 be the length of the initial cycle of π2,L. Then k l1 − k π 2, L (1) = 2 mod L

Initial cycle of π2,11: (1, 6, 3, 7, 9, 10, 5, 8, 4, 2) 6 5 4 2 mod11 2 mod11 2 mod11 Theorem 6 Let l1 be the length of the initial cycle of π2,L. Then k l1 − k π 2, L (1) = 2 mod L Corollary 7 l1 > log 2 L

What about the other cycles? π 2,17 (1, 9, 13, 15, 16, 8, 4, 2)(3, 10, 5, 11, 14, 7, 12, 6) 1 9 13 15 16 8 4 2 3 10 5 11 14 7 12 6

What about the other cycles? π 2,17 (1, 9, 13, 15, 16, 8, 4, 2)(3, 10, 5, 11, 14, 7, 12, 6) 1 9 13 15 16 8 4 2 3 10 5 11 14 7 12 6 3x

What about the other cycles? π 2,17 (1, 9, 13, 15, 16, 8, 4, 2)(3, 10, 5, 11, 14, 7, 12, 6) 1 9 13 15 16 8 4 2 3 10 5 11 14 7 12 6 3x mod 3x 17

What about the other cycles? π 2,17 (1, 9, 13, 15, 16, 8, 4, 2)(3, 10, 5, 11, 14, 7, 12, 6) 1 9 13 15 16 8 4 2 3 10 5 11 14 7 12 6 3x mod 3x Theorem 8 17 π 2, L (n) = ( n ⋅ π 2, L (1)) mod L I.e.: Every cycle is determined by the initial cycle.

Proof of Theorem 8

Proof of Theorem 8 L +1 π 2, L (1) = 2

Proof of Theorem 8 L +1 π 2, L (1) = 2 n nL + n  n n even: π 2, L (n) − n ⋅ π 2, L (1) = − = L  −  ∈¢  2 2 2 n + L nL + n 1− n n odd: π 2, L (n) − n ⋅ π 2, L (1) = = L −  ∈¢ 2 2 2

Proof of Theorem 8 L +1 π 2, L (1) = 2 n nL + n  n n even: π 2, L (n) − n ⋅ π 2, L (1) = − = L  −  ∈¢  2 2 2 n + L nL + n 1− n n odd: π 2, L (n) − n ⋅ π 2, L (1) = = L −  ∈¢ 2 2 2 In all cases, L divides difference.

Proof of Theorem 8 L +1 π 2, L (1) = 2 n nL + n  n n even: π 2, L (n) − n ⋅ π 2, L (1) = − = L  −  ∈¢  2 2 2 n + L nL + n 1− n n odd: π 2, L (n) − n ⋅ π 2, L (1) = = L −  ∈¢ 2 2 2 In all cases, L divides difference. Corollary 9 ( ) mod L k l1 − k (n) = n ⋅ 2 π 2, L

THE ORDER OF THE RAIL FENCE CIPHER

Proposition (basic group theory) If a permutation in Sn is written as a product of disjoint cycles, then the order of the permutation is the least common multiple of the cycle lengths.

Proposition (basic group theory) If a permutation in Sn is written as a product of disjoint cycles, then the order of the permutation is the least common multiple of the cycle lengths. Theorem 10 The order of the rail fence cipher is the length of its initial cycle.

Proposition (basic group theory) If a permutation in Sn is written as a product of disjoint cycles, then the order of the permutation is the least common multiple of the cycle lengths. Theorem 10 The order of the rail fence cipher is the length of its initial cycle. Proof outline: Show that the length of each cycle in the disjoint cycle factorization divides the length of the initial cycle.

G = π 2, L ⊆ SL

G = π 2, L ⊆ SL { } k orbG (n) = y : y = π (n) for some k = Cycle containing n 2, L

G = π 2, L ⊆ SL { } k orbG (n) = y : y = π (n) for some k = Cycle containing n 2, L orbG (1) = Initial cycle

G = π 2, L ⊆ SL { } k orbG (n) = y : y = π (n) for some k = Cycle containing n 2, L orbG (1) = Initial cycle Deﬁne binary operation * on orbG(1): a b a +b π 2, L (1) ∗ π 2, L (1) = π 2, L (1)

G = π 2, L ⊆ SL { } k orbG (n) = y : y = π (n) for some k = Cycle containing n 2, L orbG (1) = Initial cycle Deﬁne binary operation * on orbG(1): a b a +b π 2, L (1) ∗ π 2, L (1) = π 2, L (1) Claim: orbG(1) forms an abelian group under *.

G = π 2, L ⊆ SL { } k orbG (n) = y : y = π (n) for some k = Cycle containing n 2, L orbG (1) = Initial cycle Deﬁne binary operation * on orbG(1): a b a +b π 2, L (1) ∗ π 2, L (1) = π 2, L (1) Claim: orbG(1) forms an abelian group under *. −1 (π ) a = π 2,− a (n) l1 (1) 2, L L

Let x be the smallest element of its cycle, so cycle = orbG(x). orbG(1) acts on orbG(x):

Let x be the smallest element of its cycle, so cycle = orbG(x). orbG(1) acts on orbG(x): ( )( π i2, L (1), ( x ⋅ π 2, L (1)) mod L a ) j x ⋅ π 2, Lj (1) mod L i+

Let x be the smallest element of its cycle, so cycle = orbG(x). orbG(1) acts on orbG(x): ( )( π i2, L (1), ( x ⋅ π 2, L (1)) mod L a ) j x ⋅ π 2, Lj (1) mod L i+ { } k k Fx = π (1) ∈orbG (1) : x ⋅ π (1) = x mod L = Stabilizer of x 2, L 2, L

Let x be the smallest element of its cycle, so cycle = orbG(x). orbG(1) acts on orbG(x): ( )( π i2, L (1), ( x ⋅ π 2, L (1)) mod L a ) j x ⋅ π 2, Lj (1) mod L i+ { } k k Fx = π (1) ∈orbG (1) : x ⋅ π (1) = x mod L = Stabilizer of x 2, L 2, L Classical group theory: Fx is a subgroup of orbG(1) The following mapping is a bijection: orbG (1) → orbG (x) FX π 2, L (1) ⋅ FX a π 2, L (x) k k

π2,35 = (1, 18, 9, 22, 11, 23, 29, 32, 16, 8, 4, 2)(3, 19, 27, 31, 33, 34, 17, 26, 13, 24, 12, 6)(5, 20, 10)(7, 21, 28, 14)(15, 25, 30)

π2,35 = (1, 18, 9, 22, 11, 23, 29, 32, 16, 8, 4, 2)(3, 19, 27, 31, 33, 34, 17, 26, 13, 24, 12, 6)(5, 20, 10)(7, 21, 28, 14)(15, 25, 30) (1, 18, 9, 22, 11, 23, 29, 32, 16, 8, 4, 2) { } F7 = {n ∈orbG (1) : 7n = 7 mod 35} = {1,11,16} = π 0 35 (1),π 2, 35 (1),π 8 35 (1) 4 2, 2,

π2,35 = (1, 18, 9, 22, 11, 23, 29, 32, 16, 8, 4, 2)(3, 19, 27, 31, 33, 34, 17, 26, 13, 24, 12, 6)(5, 20, 10)(7, 21, 28, 14)(15, 25, 30) (1, 18, 9, 22, 11, 23, 29, 32, 16, 8, 4, 2) { } F7 = {n ∈orbG (1) : 7n = 7 mod 35} = {1,11,16} = π 0 35 (1),π 2, 35 (1),π 8 35 (1) 4 2, 2, orbG (1) = {1⋅ F7 , 18 ⋅ F7 , 9 ⋅ F7 , 22 ⋅ F7 } F7 orbG (7) = {7, 21, 28,14} = {1mod 35,(18 ⋅ 7)mod 35,(9 ⋅ 7)mod 35,(22 ⋅ 7)mod 35}

orbG (1) orbG (1) = orbG (x) = FX Fx ∴ orbG (1) = Fx ⋅ orbG (x) Therefore the length of the cycle containing x divides the length of the initial cycle.

Theorem 11 orbG (1) ≅ 2 ⊆ ¢ ∗ L By Theorem 6, π 2, L (1) = 2 l1 − k mod L k Corollary 12 The order of the rail fence cipher on a text of length L (odd) is the order of the integer 2 in ¢ L ∗ Corollary 13 π 2, L divides φ(L).

UNANSWERED QUESTIONS

UNANSWERED QUESTIONS • Simple way to calculate length of initial cycle?

UNANSWERED QUESTIONS • Simple way to calculate length of initial cycle? • How much of this still works if C > 2?

UNANSWERED QUESTIONS • Simple way to calculate length of initial cycle? • How much of this still works if C > 2? • What are the ﬁxed points in a general CTC?

UNANSWERED QUESTIONS • Simple way to calculate length of initial cycle? • How much of this still works if C > 2? • What are the ﬁxed points in a general CTC? • Can we tell when the RFC or general CTC has a k-cycle?

UNANSWERED QUESTIONS • Simple way to calculate length of initial cycle? • How much of this still works if C > 2? • What are the ﬁxed points in a general CTC? • Can we tell when the RFC or general CTC has a k-cycle? • When is the RFC or general CTC a single (L-1)-cycle?

THANK YOU Contact: rtalbert@franklincollege.edu Slides/PDFs for this talk: http://www.slideshare.net/rtalbert/deconstructing- columnar-transposition-ciphers http://www.box.net/shared/2ye298vm3g Paper: “The cycle structure and order of the rail fence cipher”. Cryptologia, 30(2):159-172, 2006.

Deconstructing Columnar Transposition Ciphers

0 comments

Notes on slide 1

Favorites, Groups & Events