Skip to main content

Featured Post

Backdooring Cryptography - Two characters that break your SSL encryption

In this article, we demonstrate a subtle but devastating backdoor in finite-field Diffie–Hellman. By computing public keys modulo $p^2$ instead of $p$ while restricting the secret exponent to $x \leq p-1$, the discrete logarithm becomes efficiently recoverable using Fermat quotients. We show the full derivation and provide a working Sage implementation. Backdoors are always bad — but they are catastrophic when they are embedded in a fundamental primitive like Diffie–Hellman key exchange. If your browser shows a green lock, you assume your connection is secure. But what if the implementation of Diffie–Hellman contains a tiny change that looks harmless in code review — and yet allows an attacker to recover the private exponent in milliseconds? In this post I’ll show a nasty little backdoor that requires only a tiny modification: using a modulus of $p^2$ instead of $p$, while keeping the secret exponent bounded by $p$ This complete...
Post a Comment

Kryptos - The Cipher (Part 6-c) - Equal letter frequencies for two K4 groups

In this post I want to revisit an observation from years ago that seems to address K4 directly. It begins with a simple experiment: split the K4 ciphertext at every W. Once you do that, an unexpected frequency pattern emerges. A related discussion can be found in [1]

For a quick introduction, I put together a short video that explains the basic idea behind this “W-splitting” approach.

Video: Overview of the W-Splitting phenomenon

Collection of Facts

So, actually there are some surprising facts that come together here.

  1. The letter 'W' is distributed in such a way that K4 can be split into blocks of a reasonable length. 

                               OBKR
UOXOGHULBSOLIFBBWFLRVQQPRNGKSSO
TWTQSJQSSEKZZWATJKLUDIAWINFBNYP
VTTMZFPKWGDKZXTJCDIGKUHUAUEKCAR

    Each of the blocks has a suitable length to contain one or more english words. 

    B1 = OBKRUOXOGHULBSOLIFBB
B2 = FLRVQQPRNGKSSOT
B3 = TQSJQSSEKZZ
B4 = ATJKLUDIA
B5 = INFBNYPVTTMZFPK
B6 = GDKZXTJCDIGKUHUAUEKCAR

  2. Using 'W' as the splitting indicator removes one letter completely from the ciphertext. This leaves us with an alphabet of size 25. This may be suitable for some suggested approaches, such as using Polybius squares, but may cause problems for others.

  3. The known plaintext clues fit perfectly into the blocks without overlapping. Hence the blocks probably also reveal word boundaries, if we assume that words dont fall into two different blocks. 

    B1 = OBKRUOXOGHULBSOLIFBB
B2 = EASTNORTHEASTOT
B3 = TQSJQSSEKZZ
B4 = ATJKLUDIA
B5 = INFBBERLINCLOCK
B6 = GDKZXTJCDIGKUHUAUEKCAR

    You could speculate the "OT" after "EASTNORTHEAST" perhaps is "OF" or "TO" and the form letters "INFB" before "BERLINCLOCK" maybe something like "FROM".

  4. The six blocks are arranged into two groups but not arbitrarily, but based on their parity. 

    Group 1
B1 = OBKRUOXOGHULBSOLIFBB
B3 = TQSJQSSEKZZ
B5 = INFBNYPVTTMZFPK

Group 2
B2 = FLRVQQPRNGKSSOT
B4 = ATJKLUDIA
B6 = GDKZXTJCDIGKUHUAUEKCAR

  5. The two groups have the same number of letters (46), which is necessary for the most prominent feature: the frequency distribution of the letters in the two blocks is identical.

Letter frequency - Group 1
5
B
4
O
4
S
3
F
3
K
3
T
3
Z
2
I
2
L
2
N
2
P
2
Q
2
U
1
E
1
G
1
H
1
J
1
M
1
R
1
V
1
X
1
Y
0
A
0
C
0
D
0
W
Letter frequency - Group 2
5
K
4
A
4
U
3
D
3
G
3
R
3
T
2
C
2
I
2
J
2
L
2
Q
2
S
1
E
1
F
1
H
1
N
1
O
1
P
1
V
1
X
1
Z
0
B
0
M
0
W
0
Y

The labels differ, but the histogram shape is exactly the same in both groups.

Speculations

So how could such a pattern arise? Whatever the explanation is, it does not look like the accidental by-product of an ordinary cipher. Standard substitutions, transpositions, or Vigenère-like methods can certainly produce local irregularities, but they do not naturally produce two parity-based groups of equal length that also share an identical frequency profile after splitting on a single letter. That does not rule such methods out completely, but it strongly suggests that some additional organizing rule is present.

I asked Sanborn if he was surprised that K4 has remained unsolved for 35 years. He was not. The K4 code was devised “in collaboration with a cryptographer who encrypts national security secrets”, Sanborn said.

I asked if a solution existed at all. What better way to ensure the long shelf life of a cipher and there- fore a sculpture? What cleverer bit of conceptual art at the heart of the American intelligence com- munity? He shrugged this off.

“It is a solid system, and I fucked with it.”
“What do you mean you fucked with it?”
“I can’t say.”

Interview Jim Sanborn - Financial Times Weekend

This statement—“It is a solid system, and I fucked with it.”—has always stood out to me. It suggests that K4 may not be based on a fundamentally new cipher, but rather on a known, “solid” construction that was deliberately altered. In other words: the difficulty might not come from the core method itself, but from the way it has been modified.

You can easily take a solid system then "fuck with it" - i.e. change/tweak it in some direction - to make a new or even (in your eyes) harder system. And that kind of modification can go in very different directions. Starting from a sound system, even small tweaks can have disproportionate effects:

  1. The system may become unintentionally weaker
  2. The system may lose uniqueness (multiple valid decryptions)
  3. The system gets too hard to be broken by current methods

The last point is particularly interesting in the context of the observations above. A carefully—or even carelessly—introduced constraint could force the ciphertext into exhibiting artificial symmetries, such as the identical frequency profiles seen in the two groups. This would not necessarily strengthen the cipher in a classical sense, but it could significantly obscure its structure and mislead standard analytical approaches.

From that perspective, the W-splitting phenomenon might not be a coincidence at all, but a side effect of such a “tampering” step. Perhaps two components were combined under an additional rule. Perhaps a balancing constraint was imposed. Or perhaps a transformation was applied that preserves certain global statistics while destroying local interpretability.

However, this also raises a more uncomfortable possibility: what if the modification was not clean? If the system was “messed with” in a way that breaks some of the usual assumptions cryptanalysts rely on, then we may be facing something that is not just difficult—but structurally awkward. Not unsolvable, but resistant to the kinds of methods we instinctively try first.

In that sense, the symmetry observed here might be less of a direct clue and more of a warning. It tells us that something artificial is going on—but not necessarily what. Any convincing approach to K4 should therefore not only explain the ciphertext, but also account for these imposed regularities. Ignoring them feels risky. Over-interpreting them may be just as dangerous.

So perhaps the right takeaway is this: instead of asking which cipher produces K4, we may need to ask which cipher, once “fucked with”, produces something that looks like this.

[1] https://glthr.com/a-fresh-perspective-on-kryptos-k4

Related Posts:

Labels:

Comments

Post a Comment

Popular posts from this blog

Kryptos - The Cipher (Part 4) - Correctly positioned decryption of the word BERLIN

EASTNORTHEAST - This is not exactly the hint Jim Sanborn (JS) gave for K4 on the 29th of January this year. He only gave NORTHEAST - which refers to the positions 26-34 of K4's plaintext.  Beside BERLIN and CLOCK it is the third revealed plaintext word of K4. However, also this hint does not seem to help much.  However, it just so happened, that a member in the yahoo kryptos group had a conversation with Jim Sanborn due to a submitted solution. Sandborn's answer to the question contained again the last clue which surprisingly was EASTNORTHEAST at position 22-34. Jim Sanborns compass rose at CIA There is disagreement if Jim revealed this on purpose or he did it accidentially, but the new extended clue seem to be serious and valid.Interestingly, EASTNORTHEAST is exactly the direction which is illustrated on the compass rose on one of the stones around kryptos, also created by Jim Sanborn. Actually, i dont really kn...
116 comments
Read more

Kryptos - The Cipher (Part 1) - Introduction

Introduction. Since I think that KRYPTOS does not need any introduction, I will only give you a brief description of one of the most famous and only partially solved ciphers known today: KRYPTOS - Von Jim Sanborn - Jim Sanborn, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=8253447 KRYPTOS was constructed in Nov. 1990 on the ground of the CIA Headquarter in Langley, Virginia by Jim Sanborn It contains 4 ciphers (K1,K2,K3,K4) on its left side and some kind of Vigenère-Table on its right side K1, K2 and K3 were solved by James Gillogly in 1999. Afterwards, the CIA and later the NSA claimed that they had a solution to the first three ciphers at an earlier point in time Ed Scheidt, a cryptoanalyst and former director of the CIA, gave Sanborn the input of possible cryptographic techniques to use K1 is a variant of the Vigenère-Cipher (Quagmire 3) with the codewords KRYPTOS and PALIMPSES...
7 comments
Read more

Kryptos - The Cipher (Part 3) - K4 Intentional vs. non-intentional errors

This post is about is more or less a collection of several approaches and facts that has been said as well as some speculations. B-ary integer representation According to [1] during a Question and Answer round, Jim Sanborn was asked again about the hint BERLIN. The question was if N decodes to B, Y decodes to E, etc, etc. and Jim confirmed it does. Emphatically . It is written, that Jim Sanborn rattled through the entire crib: \begin{align}   \texttt{N} &\stackrel{\text{decode}}{\rightarrow} \texttt{B} \\   \texttt{Y} &\stackrel{\text{decode}}{\rightarrow}  \texttt{E} \\   \texttt{P} &\stackrel{\text{decode}}{\rightarrow}  \texttt{R} \\   \texttt{V} &\stackrel{\text{decode}}{\rightarrow}  \texttt{L} \\   \texttt{T} &\stackrel{\text{decode}}{\rightarrow}  \texttt{I} \\   \texttt{T} &\stackrel{\text{decode}}{\rightarrow}  \texttt{N} \end{align} When the same q...
1 comment
Read more