Cryptography Assignment

Harish Rithish 106114032

Suhith Rajesh 106114094
Prajwal Renukanand 106114068
Hitheshan 106114034
Manjith Dungdung 106114051

February 8, 2017

Problem 1.
The numbers 7 and 23 are relatively prime and therefore there must exist integers a and b such
that 7a + 23b = 1. Using extended Euclidean algorithm, find such a pair of integers (a, b) with
the smallest possible a >0. Given this pair, can you determine the inverse of 7 in Z23 ?

Proof.

qi a b
23 1 0
7 3 0 1
2 3 1 -3
1 -3 10

x = -3 y = 10

Problem 2.
Given the numbers 98 and 38 there must exist integers a and b such that 98a + 38b = GCD(98, 38).
Using extended Euclidean algorithm, find such a pair of integers (a, b) with the smallest possible
a >0. Given this pair, can you determine the inverse of 38 in Z98 ?

Proof.

qi a b
98 1 0
38 2 0 1
22 1 1 -2
16 1 -1 3
6 2 2 -3
4 1 -5 13
2 2 7 -18
0

1
 a=7 b = -18

Inverse doesnt exist because GCD of 98 and 38 = 1

Problem 3.
A generalization of the Caesar cipher, known as the ane Caesar cipher, has the following form:
For each plaintext letter, substitute the ciphertext letter : C = E([a, b], p) = (ap + b)mod 26

A basic requirement of any encryption algorithm is that it be one-to-one. That is, if p 6= q,

then E(k, p) 6 = E(k, q).Otherwise, decryption is impossible, because more than one plaintext
character maps into the same ciphertext character. The ane Caesar cipher is not one-to-one for
all values of . For example, a = 2 and b = 3, then E([a, b], 0) = E([a, b], 13) = 3.

a. Are there any limitations on the value of b? Explain why or why not.
b. Determine which values of are not allowed.
c. Provide a general statement of which values of are and are not allowed. Justify your statement.

Proof.

i. No, there are no limitations on the value of b

y mod 26 = ax + b
y-bmod26 = ax
As b inly shifts the value of encryption, the one-one property is retained Hence, there is not
restriction on b

ii. a cannot assume the value of 2 & 13

iii. All values of a for which GCDa, m = 1

Reason:
x = ((q b)a1 ) mod m
q 1 does not exist if gcd(a,m) = 1

Problem 4.
Briefly explain that monoalphabetic substitution cipher is vulnerable under frequency analysis.

Proof.

Cryptanalysis:
Frequency Analysis

Basic items:

Each language has certain features, frequency of letters or of groups of two or more
letters
Substitution ciphers preserve the language features

2
 Substitution ciphers are vulnerable to frequency analysis attacks

Eg:

Single letter i and e is most used

Double letter: th, he, an, is, er, ra, es, or, ...
Triple letter: the, and, inn, tie, for, nde

Problem 5.
Suppose we are told that plaintext friday yields the ciphertext pqcfku where Hill cipher is used (
m = 2). Find the KEY.

Proof.

friday = pqcfku
C = (pk) mod 26
a b
Let k =
c d
dy ku
p c

a b
10 20 = 0 24 mod 26
c d
10 = (24c) mod 26
20 = (24d) mod 26

c=8&d=3

fr pq
p c
a b
15 11 = 5 17
8 3
15 = (5a +136) mod 26 = (5a mod 26 + 6)
16 = (5b + 51) mod 26
16 = ((5b)mod26 + 25)mod26

a = 7, b = 19

7 17
k=
8 3
Check

id cf

3
 7 19
2 5 = 8 3 % 26
8 3
80 161 mod 26

LHS = RHS

Problem 6.
Let the message space M be 0, 1 with Pr[M = 0] = 1/3 and Pr[M = 1] = 2/3. Let the keyspace K
= 0, 1 and a key be chosen uniformly at random. Let the encryption algorithm be defined as c =
Enc(k, m) = k m. Compute the following:

(a) Pr[C = 0], (b) Pr[C = 0, M = 1], (c) Pr[C = 0M = 1],

(d) Pr[K = 0M = 1], (e) Pr[K = 0M = 1].

Proof. (a) P r[C = 0] = P r[M = 0 K = 0] + P r[M = 1 K = 1]

= (1/2) + (2/3 1/2)
= 3/6
P r[C = 0] = 1/2

(b) P r[C = 0 M = 1] = P r[M = 1 K = 1]

= 2/3 1/2
P r[C = 0 M = 1] = 1/3

(c)

P r[C = 0 M = 1]
P r[C = 0|M = 1] =
P r[M = 1]
1
3
= 2
3
1
=
2

(d)

P r[K = 0 M = 1
P r[K = 0|M = 1] =
P r[M = 1]
1/2 1/3
=
2/3
P r[K = 0|M = 1] = 1/2

4
 (e)

P r[K = 0|M = 1] = P r[K = 0 M = 1]

1/2 2/3
=
2/3
P r[K = 0|M = 1] = 1/2

Problem 7.
Show that an encryption scheme (Gen, Enc, Dec) over a message space M is perfectly secret if and
only if for every probability distribution over M, every message m M, and every ciphertext c C :
Pr(C = c/M = m] = Pr(C = c].

Proof.

P [C = c] = P [C = c|M = m]P [M = m]
mM

= const P [M = m]
mM
= P [C = c|M = m]

Problem 8.
Show that an encryption scheme (Gen, Enc, Dec) over a message space M is perfectly secret if and
only if for every probability distribution over M, every message m0, m1 M, and every ciphertext
c C:
Pr(C = c/M = m0) = Pr(C = c/M = m1).

Proof.

Indistinguishability, M0
P [C = c|M = M0 ] = P [C = c|M = M1 ]
M M, cC
P [C = c] = P [C = c|M = m]
cC, m0 M
P [C = c] = P [C = c|M = m0 ]
cC, M1 M
P [C = c] = P [C = c|M = M1 ]
P [C = c|M = M0 ] = P [C = c|M = M1 ]

Problem 9.
Prove or refute: For every encryption scheme that is perfectly secret it holds that for every distri-
bution over the message space M, every m, m0 M, and every c C:
Pr[M m/C = c] = Pr[M = m0/C = c].

5
Proof. Let us assume that P[M = m C = c] = P[M = m C =c ] according to Shannons
Definition
To perfect security, the adversary should not have any advantage in decrypting the cipher text

adv k, = 0
However,

if

P [M = m|C = c] = P [M = m |C = c]
then
P [M = m|C = c] > 1/2
(or)
P [M = m|C = c] < 1/2
therefore,
adv k, = 0
therefore,
P [M = m|C = c] = P [M = m |C = c]
Hence Proved

Problem 10.
Let M = C = K = 0, 1, 2, . . . , 255 and consider the following cipher defined over (K, M, C):
E(k, m) = m + k(mod256); D(k, c) = c k(mod256). Does this cipher have perfect secrecy?

Proof.

E[m] = (m + k)mod 256 = C

D[c] = (c k)mod256
keys such that Ek [M ] = C
P r[C = 0|M = 1] =
256
= 1/256
P [M = m] = 1/256
Caesar sning algorithm is perfectly secure.

Problem 11.
Prove that OTP is perfectly secure.

Proof.
One time Pad (OTP)
Ek [M] = M K, |K| = |C|
M {0, 1}l , K {0, 1}l
Dk [C] = C K
D[Ek [M]] = (M K ) K = M

6
P[M = m] = 1 / 2l , m M , c C
P[C K = M | C = c] = P[C K = M]
P[K = C M] = 1 / 2l perfectly secure

Problem 12.
Show formally that the following schemes do not satisfy the definition of perfect security.

2 to the pair x1 +
(Caesar cipher) Key: a random k < Z26 . Encrypt a length-2 string x Z26
k(mod26), x2 + k(mod26).

(Two-time pad) Key: k < {0, 1}n. Encrypt x {0, 1}2n by x1...n k, xn+1...2n k, where denotes
bitwise XOR.

2 by (x1), (x2).
(Substitution cipher) Key: a random permutation : Z26 < Z26 . Encrypt x Z26

Proof.
(i) To prove: P[M = m | C = c] = P[M = m]
LHS. P[M = (C - K) mod 26 | C = c]
= 1 / 26
RHS. 1/ (26 x 26) = 1 / 676 = LHS not secure.
(ii) Let C = C1 ||C2
M = C1 k||C2 k
LHS. P[M = m | C = c] = P[M = C1 k||C2 k| C = C1 ||C2 ] = 1 / 2n
RHS. P[M = m] = 1 / 22n = LHS not perfectly secure.
(iii) L.H.S
P[M = m1 m2 | C = c1 c2 ] = P[M = 1 (c1 ) 1 (c2 ) | C = c1 c2 ] = (1 / 25 ) x (1 / 26)
R.H.S.
P[M = m1 m2 ] = (1 / 26 ) x (1 / 26)

L.H.S = R.H.S. Hence Proved.

Problem 13.
Let (E,D) be a (one-time) semantically secure cipher where the message and ciphertext space is
{0, 1}n . Which of the following encryption schemes are (one-time) semantically secure? Prove or
disprove that schemes are semantically secure?
(i) E`(k, m) = 0||E(k, m) (i.e. prepend 0 to the ciphertext) (ii) E(k, m) = E(k, m)||k
(iii) E`(k, m) = reverse(E(k, m)) (iv) E`(k, m) = E(k, m) ||LSB(m)
(v) E`((k, k`), m) = E(k, m)||E(k`, m)

Proof.
(i) E(k,m) = O || E(k,m)
D(k,m) = D[k,m - (1st bit of m) = 0]
insert an image here
If the adversary can break E, then another adversary can break E, which is impossible. Hence, E
is semantically secure.
(ii) M = C[1 : length(m)] C[length(m + 1) : 2 x length(m)]

7
(iii) II (key,E, D)
E(m) = Reverse(E(m))
D(c) = D(Reverse(c))
put the image here
This table shows that if adversary can break the scheme with non-negligible probability then
there exists another adversary (challenges) who can break the secure scheme. Since no one can
break the secure scheme, no one can break our scheme.
(iv) II(key, Enc, Dec) is secure. E(m) = c; D(c) = m
Another scheme :
II (key,E, D)
E(m) = E(m) + CSB of m
D(c) = D(c - LSB of C)
Adv m0 m1 to challenger.
Challenger C = E(Mb ) to adversary, b {0,1}
This scheme is not secure.

Problem 14.
Consider the linear recurrence of degree 4:
zi+4 = zi + zi+1 mod 2.
(a) Construct a diagram for the corresponding linear feedback shift register (LFSR).
(b) Construct a table to produce the key stream generated using this LFSR with the key K=(1,0,1,1).
What is its period?
(c) Write down the characteristic polynomial of this linear recurrence. Is it a primitive polynomial?
Explain your answer.

Proof.
(a)

b) S0 = 1
S1 = 0

8
S2 = 1
S3 = 1
S4 = 1
S5 = 1
S6 = 0
S7 = 0
S8 = 0
S9 = 1
S10 = 0
S11 = 0
S12 = 1
S13 = 1
S14 = 0
S15 = 1
S16 = 0
S17 = 1
S18 = 1
.
.
.
.
Periodicity = 15
y = x4 + x + 1, therefore it is primitive.

Problem 15.
Consider the linear recurrence of degree 4:
zi+4 = zi + zi+1 + zi+2 + zi+3 mod 2.
(a) Construct a diagram for the corresponding linear feedback shift register (LFSR).
(b) Construct a table to produce the key stream generated using this LFSR with the key K=(1,0,1,1).
What is its period?
(c) Write down the characteristic polynomial of this linear recurrence. Is it a primitive polynomial?
Explain your answer.

Proof.

9
S0 = 1
S1 = 0
S2 = 1
S3 = 1
S4 = 1
S5 = 1
S6 = 0
S7 = 1
S8 = 1
S9 = 1
.
.
.
Periodicity = 5. y = x4 + x3 + x2 + x + 1, therefore it is not primitive.

Problem 16.
In class we explained that the one time pad is malleable. Lets see a concrete example. Suppose you
are told that the one time pad encryption of the message attack at dawn is 09e1c5f70a65ac51626bc3d25f17
(the plaintext letters are encoded as 8-bit ASCII and the given ciphertext is written in hex). What
would be the one time pad encryption of the message attack at dusk under the same OTP key?

Proof.
k1 = a d2 = 97 d2
k2 = w 5f = 119 5f
k3 = n 17 = 110 17
k1 = 01100001 11010010 = 10110011
k2 = 01110111 01011111 = 00101000
k3 = 01101110 00010111 = 01111001
c1 = u k1

10
= 117 10110011
= 01110101 10110011
= 11000110 = c6
c2 = s k2
= 115 00101000
= 01110011 00101000
= 01011011 = 5b
c3 = k k3
= 107 01111001
= 01101011 01111001
= 00010010 = 12

Message = 09e1c5f70a65ac51626bc3c65b12

Problem 17.
MS-PPTP is a protocol for a client wishing to communicate securly with a server. They both
shared secret key k. Here client sends a message m1 and server responds with s1. Again client
sends a message m2 and server responds with s2. Similarly client sends a message m3 and server
responds with s3 etc.
It is example of Two Time Pad. Explain. Also briefly explain how to compute m1, m2, m3 and s1,
s2, s3.

Proof.

M1 = M K1
S1 = C K1
M1 S1 = M C
Because of patterns in english language M,C can be found from
M C
As same key is used twice, it is a 2 time pad

Problem 18.
What RC4 key value will leave S unchanged during initialization? That is, after the initial permu-
tation of S, the entries of S will be equal to the values from 0 through 255 in ascending order.

Proof.
Use a key of length 255 bytes. The first two bytes are zero; ie. K[0] = K[1] = 0.
Thereafter, we have : K[2] = 255, K[3] = 254, ... K[255] = 2.

Problem 19.
Assume that the initial permutation S is randomly chosen from the set of all the possible per-
mutations of 0, ..., 255. Then prove that the second output word of RC4 is 0 is approximately
2/256.

Proof. Pr[S[t] == x] = 1/256 + some negligible function

( Ideal case when Pr[S[t] == x] = 1/256 )

11
If (S[2]==0) then 2nd output is 0
Pr[Z2==0] = Pr[Z2==0/S[2]==0] * P[S[2]==0] + P[Z2==0/S[2]!=0] * P[S[2]!=0]
= 1(1/N) + (1/N)(1-1/N)
= 2/N
(1/N*N) is approximately 0

12