Part 1: Foundations of Cryptography
Part 2: Classical Ciphers
Part 3: Mechanized Cryptography
Part 4: Theoretical Breakthroughs
Part 5: Modern Symmetric Cryptography
Part 6: Principles of Good Cryptosystems
Part 7: Introduction to Cryptanalysis
What is cryptanalysis?
Cryptanalysis is the art and science of breaking cryptographic systems. While cryptography seeks to hide information, cryptanalysis seeks to reveal it. This field serves two critical purposes: attackers use it to break systems for malicious goals, while security researchers use it to test and strengthen cryptographic algorithms.
The main goal of cryptanalysis is to recover plaintext from ciphertext without authorized access to the key. In practice, this means finding weaknesses in algorithms, implementations, or key management that allow shortcuts to decryption.
Modern cryptanalysis operates under core assumptions: analysts typically know the encryption algorithm being used (following Kerckhoffs's principle) and have some idea of what they're looking for—whether German text, ARM machine code, JPEG file headers, or credit card numbers. The challenge lies in exploiting patterns, weaknesses, or side effects to extract secrets.
Attack models: what cryptanalysts can observe
Cryptanalysts work within different attack models that define what information they can access. Understanding these models helps us evaluate cipher strength and design robust systems.
Brute force: the baseline attack
The most straightforward approach is exhaustive key search—trying every possible key until one produces meaningful plaintext. This sets the security baseline: a cipher with an \(n\)-bit key requires at most \(2^n\) attempts, with an average of \(2^{n-1}\) attempts to find the correct key.
Brute force becomes infeasible with sufficient key length. A 128-bit key space contains approximately \(3.4 \times 10^{38}\) possibilities. Even with hypothetical hardware performing \(10^{18}\) operations per second, exhaustive search would take billions of times longer than the age of the universe.
The existence of brute force attacks means that cryptanalytic attacks succeed when they can recover keys or plaintext in significantly fewer than \(2^{n-1}\) operations. While this is possible with weak ciphers that may leak hints about the key, it is also possible if the attacker suspects that poor key generation techniques were used, such as seeting a pseudorandom number generator with the time (somewhat predictable) or with a simple password.
Ciphertext-only attack (COA)
In a ciphertext-only attack, the analyst has access only to encrypted messages with no corresponding plaintext. This scenario appears frequently in movies but proves extremely difficult against well-designed modern ciphers.
COA attacks typically exploit statistical properties of the plaintext language or weaknesses in cipher implementation. Historical examples include frequency analysis against simple substitution ciphers, where analysts count letter frequencies to map ciphertext symbols to plaintext letters based on expected language patterns.
Modern block ciphers in proper modes resist COA attacks by producing ciphertext that appears statistically random. However, COA remains relevant when analyzing proprietary algorithms, legacy systems, or poorly implemented cryptography.
Known plaintext attack (KPA)
Known plaintext attacks analyze matching pairs of plaintext and ciphertext to discover patterns that reveal the encryption key or algorithm structure. The analyst cannot choose the plaintext but can study correlations between inputs and outputs.
The famous breaking of the Enigma cipher during World War II exemplified KPA techniques. Allied cryptanalysts obtained stolen plaintext-ciphertext pairs and used them to deduce rotor settings and plugboard configurations. They also exploited predictable message formats, such as weather reports that began with standard phrases.
KPA proves more powerful than COA because it reveals how specific plaintext patterns transform into ciphertext patterns. This information can expose weaknesses in substitution boxes, key schedules, or mixing functions within block ciphers.
Chosen plaintext attack (CPA)
Chosen plaintext attacks allow the analyst to select specific plaintext messages and observe the resulting ciphertext. This model reflects scenarios where attackers can influence message content—for example, by getting a target system to encrypt attacker-controlled data.
CPA enables systematic testing of cipher behavior. Analysts can choose plaintexts designed to reveal structural weaknesses, test specific hypotheses about key bits, or probe how differences in input affect output patterns.
Modern cipher design considers CPA security essential. If a cipher cannot resist attackers who control plaintext inputs, it will fail in many real-world deployment scenarios where such control is possible.
Chosen ciphertext attack (CCA)
Chosen ciphertext attacks involve submitting ciphertext to a decryption oracle and observing either the resulting plaintext or error responses. This model captures scenarios where attackers can trigger decryption operations and learn from the results.
A classic CCA example involves attacks against improperly implemented CBC mode encryption. When CBC mode decrypts a block, it must remove padding bytes that were added to make the plaintext fit block boundaries. If the system responds differently to valid versus invalid padding, perhaps with different error messages or response times, an attacker can exploit this difference. By submitting modified ciphertext blocks and observing these responses, the attacker gradually learns information about the original plaintext, sometimes recovering it entirely. This demonstrates why systems should either use authenticated encryption modes or ensure that all decryption errors look identical to potential attackers.
CCA attacks highlight why confidentiality alone insufficient: systems need authenticated encryption to detect and reject tampered ciphertext. AEAD modes like GCM provide CCA security by binding authentication tags to ciphertext, so tampering attempts are detected and rejected.
Cryptanalytic techniques
Beyond brute force, cryptanalysts employ sophisticated mathematical and statistical techniques to find cipher weaknesses. These approaches exploit specific structural properties rather than exhaustively searching key space.
Differential cryptanalysis
Differential cryptanalysis examines how differences in plaintext inputs propagate through a cipher to produce differences in ciphertext outputs. The technique seeks to identify non-random behavior that reveals information about internal cipher structure or key bits.
The attack process begins with selecting plaintext pairs that differ in specific bit positions. The analyst encrypts these pairs and studies how input differences affect output differences across multiple plaintext-ciphertext samples. Statistical patterns in these differential behaviors can expose weaknesses in the cipher's substitution boxes or round functions.
Differential cryptanalysis typically requires chosen plaintext access, since analysts must control input differences to systematically explore the cipher's behavior. The technique proved particularly effective against early versions of DES before countermeasures were developed.
Modern cipher design specifically considers differential cryptanalysis resistance. Substitution boxes undergo extensive testing to ensure they resist differential attacks, and round structures incorporate sufficient nonlinearity and diffusion to prevent simple differential patterns from propagating across multiple rounds.
Linear cryptanalysis
Linear cryptanalysis attempts to find linear approximations -- equations involving XOR operations -- that connect plaintext bits, ciphertext bits, and key bits with probability significantly different from random (50%).
Rather than looking for difference patterns like differential cryptanalysis, linear cryptanalysis seeks to approximate the behavior of nonlinear components (particularly S-boxes) using linear expressions. If such approximations exist with sufficient bias, they can be used to determine key bits more efficiently than brute force.
The attack unfolds in two phases. First, analysts construct linear equations that correlate input and output bits with a probability higher or lower than 0.5. Second, they use these biased equations to guess portions of the key, reducing the brute force search space to a manageable size.
Linear cryptanalysis works effectively with known plaintext, making it complementary to differential techniques that prefer chosen plaintext. Both approaches rarely recover complete keys but can reduce the effective key search space from \(2^n\) to something computationally feasible.
Side-channel analysis
Side-channel attacks exploit physical information leaked during cryptographic operations rather than attacking the mathematical algorithm directly. These techniques target implementation weaknesses that reveal secrets through timing, power consumption, electromagnetic emissions, or other observable effects.
Cache timing attacks are an example of this concept. If an AES implementation uses lookup tables indexed by secret key bytes, memory access patterns leak information about which table entries were accessed. On shared hardware, attackers can measure cache timing to determine these access patterns and reconstruct key information.
Power analysis attacks monitor the electrical current consumed during cryptographic operations. Different instructions and data values produce different power signatures, and statistical analysis of many power traces can reveal secret key bits processed during encryption or decryption.
Electromagnetic analysis extends power analysis concepts by measuring EM radiation emitted during computation. These attacks require no physical contact with the target device, making them particularly concerning for smart cards, mobile devices, and other portable cryptographic hardware.
Fault injection attacks deliberately introduce errors during cryptographic operations -- through voltage glitching, clock manipulation, or laser pulses -- and analyze the resulting faulty outputs to extract secret information. The difference between correct and faulty computations often reveals internal cipher state or key bits.
Side-channel defenses focus on breaking the correlation between observable physical effects and secret information. Constant-time implementations ensure that execution time and memory access patterns remain independent of secret values. Masking techniques inject randomness to decorrelate power consumption from sensitive data. Hardware countermeasures include shielding, noise injection, and dedicated cryptographic processors designed to minimize information leakage.
The cryptanalytic process
Cryptanalysis follows a systematic methodology that combines mathematical analysis, statistical testing, and computational techniques to identify and exploit weaknesses.
Reconnaissance (spying) and hypothesis formation
Successful cryptanalysis begins with gathering information about the target system. Analysts must identify the encryption algorithm, understand the implementation environment, and characterize available attack vectors.
This reconnaissance phase determines which attack models apply. Can the analyst influence plaintext content? Access decryption systems? Observe physical side channels? The available attack surface shapes the entire analytical approach.
Hypothesis formation is the next step.
Based on the cipher structure and attack model, analysts develop theories about potential weaknesses. These might involve suspected statistical biases, structural vulnerabilities, or implementation flaws that could leak information.
Data collection and pattern analysis
Once hypotheses exist, analysts gather data to test their theories. This might involve collecting large amounts of ciphertext, plaintext-ciphertext pairs, or measurements of physical side channels during cryptographic operations.
Pattern analysis applies statistical and mathematical techniques to identify non-random behavior in the collected data. Frequency analysis remains relevant for simple ciphers, while more sophisticated techniques like correlation analysis, linear algebra, and probability theory apply to modern cryptosystems.
The key insight is that secure ciphers should produce outputs that appear statistically random. Any detectable patterns, biases, or correlations potentially represent exploitable weaknesses.
Key recovery and validation
If patterns emerge, analysts attempt to translate them into key recovery techniques. This might involve algebraic manipulation, statistical analysis, or computational searches through reduced key spaces.
Partial key recovery often proves sufficient. If cryptanalysis reduces the effective key space from \(2^{128}\) to \(2^{40}\), the remaining search becomes computationally feasible with sufficient resources.
Validation confirms that recovered keys actually decrypt target ciphertext to meaningful plaintext. False positives occur frequently in cryptanalytic work, so rigorous testing ensures that apparent successes represent genuine breaks rather than statistical artifacts.
Defensive perspective: using cryptanalysis to strengthen security
Cryptanalysis serves defensive purposes by helping designers and implementers identify and address weaknesses before deployment. This proactive approach prevents vulnerabilities from being exploited maliciously in the future.
Algorithm testing and validation
New cryptographic algorithms undergo extensive cryptanalytic scrutiny before standardization. Researchers apply differential cryptanalysis, linear cryptanalysis, and other techniques to search for structural weaknesses. Only algorithms that resist all known attacks gain acceptance for widespread use.
This testing process continues throughout an algorithm's lifetime. As new cryptanalytic techniques emerge, established algorithms face renewed scrutiny. Algorithms that cannot adapt to new threats eventually require replacement.
As we discussed earlier, this open scrutiny principle proves essential here. Proprietary algorithms cannot benefit from broad cryptanalytic testing, making them inherently less trustworthy than public designs that have survived years of attack attempts.
Implementation security assessment
Even strong algorithms can fail through implementation weaknesses. Security assessments apply cryptanalytic techniques to identify timing vulnerabilities, cache leakage, power analysis susceptibility, and other implementation-specific flaws.
Penetration testing includes cryptanalytic components when evaluating systems that rely on cryptographic protection. Testers attempt to recover keys, bypass authentication, or extract sensitive data using analytical techniques rather than purely exploiting software vulnerabilities.
Code review specifically examines cryptographic implementations for patterns that enable side-channel attacks. Secret-dependent memory accesses, data-dependent execution times, and other correlation sources receive particular attention.
Security parameter selection
Cryptanalytic results inform security parameter choices during system design. If an algorithm shows theoretical weakness that reduces effective security from \(2^{128}\) to \(2^{120}\) operations, designers can compensate by using longer keys or implementing additional countermeasures.
Performance trade-offs become clearer when cryptanalytic bounds are well-understood. Systems can balance security margins against efficiency requirements based on concrete analytical results rather than vague security intuitions.
Modern cryptanalytic landscape
Contemporary cryptanalysis operates in a landscape shaped by powerful computing resources, sophisticated mathematical techniques, and evolving threat models.
Computational resources and their impact
Modern cryptanalysis leverages massive computational power through GPU clusters, cloud computing, and specialized hardware. Attacks that seemed only theoretical decades ago have now become practical with sufficient resources.
The increasing availability of computational power affects both attackers and defenders. While it enables more sophisticated cryptanalytic techniques, it also allows defenders to use larger key sizes and more rounds to maintain security margins.
Quantum computing represents a potential paradigm shift for cryptanalysis. While current quantum computers are not up to this task, in theory, Shor's algorithm demonstrates that they could break current public-key cryptographic algorithms (which we will cover in the next lecture). Grover's algorithm shows that quantum computers can effectively halve symmetric key security. Post-quantum cryptography development partly responds to these theoretical capabilities.
Cryptanalytic tool development
Automated cryptanalysis tools enable systematic exploration of cipher weaknesses. Software packages implement differential cryptanalysis, linear cryptanalysis, and other techniques, allowing researchers to test algorithms more thoroughly and efficiently.
Machine learning applications in cryptanalysis represent an emerging frontier. Neural networks can potentially identify patterns in cryptographic data that traditional statistical methods miss, though this area remains largely experimental.
Side-channel analysis tools have become increasingly sophisticated, with commercial equipment capable of extracting keys from implementations that seemed secure under traditional cryptanalytic approaches.
The arms race continues
Cryptanalysis and cryptography exist in perpetual tension. Each new analytical technique drives defensive improvements, while each defensive innovation motivates new attack approaches.
This dynamic benefits overall security by continuously raising standards. Algorithms must resist not only current attacks but also anticipated future techniques. Implementation practices evolve to address newly discovered side-channel vulnerabilities.
The open research community plays a crucial role by ensuring that cryptanalytic advances benefit defenders as well as attackers. Academic conferences, public research, and standardization processes help disseminate both attack techniques and defensive countermeasures.
Conclusion
Cryptanalysis is the essential testing ground for cryptographic security. By understanding how systems can be broken, we learn how to build stronger defenses.
The attack models, from ciphertext-only to chosen ciphertext, define the threat landscape that cryptographic systems must survive. Techniques like differential and linear cryptanalysis probe algorithmic weaknesses, while side-channel analysis exposes implementation vulnerabilities.
In practice, cryptanalysis provides concrete guidance for security decisions. Algorithms that resist extensive analytical scrutiny deserve preference over unproven alternatives. Implementation practices that minimize side-channel leakage reduce real-world attack risks.
The field continues evolving as new analytical techniques emerge and computational capabilities expand. Understanding these developments helps security professionals make informed decisions about cryptographic choices and system designs.
Remember that cryptanalysis serves both attackers and defenders. The same techniques that malicious actors use to break systems also help security researchers identify and fix vulnerabilities before they can be exploited. This dual nature makes cryptanalytic knowledge essential for anyone working with cryptographic systems.