CIS 5371 Cryptography Home Assignment 1 wt Answers Due: At the beginning of the class on Feb 11, 2016 Exercises taken from the course textbook. Jonathan Katz and Yehuda Lindell, Introduction to Modern Cryptography. • 1.3 Consider an improved version of the Vigenère cipher, where instead of using multiple shift ciphers, multiple mono-alphabetic substitution ciphers are used. That is, the key consists of t random permutations of the alphabet, and the plaintext characters in positions i, t + i, 2t + i, and so on, are encrypted using the ith permutation. Show how to break this version of the cipher. Solution: The first point to note is that Kasiski’s method for determining t works for this cipher as well. The only difference is therefore in the second stage of the attack. Here, one needs to build a frequency table for each of the t keys, and carry out an attack like on the mono-alphabetic cipher. Given a long enough plaintext, this will work successfully. • 1.5 Show that the shift, substitution, and Vigenère ciphers are all trivial to break using a known-plaintext attack. (Assuming normal English text is being encrypted in each case.) How much known plaintext is needed to completely recover the key for each of the ciphers (without resorting to any statistics)? Solution: For the shift cipher: given a single plaintext character p and ciphertext character c, the key is simply k = (c − p) mod 26. The encryption of only a single plaintext character thus suffices to recover the key. For the mono-alphabetic substitution cipher, given a plaintext character pi and corresponding ciphertext character ci , we can conclude that π(pi ) = ci (where π is the permutation determining the key). In order to fully determine the key, it therefore suffices to be given the encryption of a plaintext containing 25 distinct letters of the alphabet. (Since π is a permutation, knowing the value of π on 25 inputs fully determines the value of π on the last remaining input.) Note that if normal English text is encrypted, however, much more than 25 letters will be needed before 25 distinct letters occur. For the Vigenère cipher, each part of the key can be recovered as in the shift cipher. Thus the encryption of t (consecutive) characters of plaintext suces for recovering the entire key. • 1.6 Show that the shift, substitution, and Vigenère ciphers are all trivial to break using a chosen-plaintext attack. How much plaintext must be encrypted in order for the adversary to completely recover the key? Compare to the previous question. Solution: The attacks on the shift and Vigenère ciphers remain the same as in the previous question. However, for the substitution cipher, it is now possible to use a chosen-plaintext attack to ask for an encryption of a carefully chosen plaintext that contains 25 distinct letters of the alphabet. Given the resulting ciphertext, it is then possible to fully recover the key. Thus, less plaintext is required as compared to the previous exercise. 1 • 2.2 Prove or refute: For every encryption scheme that is perfectly secret it holds that for every distribution over the message space M, every m, m0 ∈ M, and every c ∈ C: P r[M = m | C = c] = P r[M = m0 | C = c]. Solution: We refute the statement by providing a counter-example. Let the set of plaintexts be {a, b} and consider the distribution where Pr[M = a| = 1/4 and Pr[M = b] = 3/4. If we encrypt using any perfectly secret encryption scheme, we know that for every c ∈ C, Pr[M = a|C = c] = Pr[M = a] 6= Pr[M = b] = Pr[M = b|C = c], where the first and last equalities hold by definition of perfect secrecy. So the claim in the exercise is not true. • 2.3 When using the one-time pad (Vernam’s cipher) with the key k = 0` , it follows that Enck (m) = k ⊕ m = m and the message is effectively sent in the clear! It has therefore been suggested to improve the one-time pad by only encrypting with a key k 6= 0` (i.e., to have Gen choose k uniformly at random from the set of non-zero keys of length `). Is this an improvement? In particular, is it still perfectly secret? Prove your answer. If your answer is positive, explain why the one-time pad is not described in this way. If your answer is negative, reconcile this fact with the fact that encrypting with 0` doesn’t change the plaintext. Solution: The modified scheme is not perfectly secret. To see this formally, consider the uniform distribution over M = {0, 1}` . For any fixed message α ∈ {0, 1}` , we have Pr[M = α|C = α] = 0 6= Pr[M = α]. This contradicts perfect secrecy. We conclude that in order to obtain perfect secrecy, it must be possible to encrypt using the key 0` . This may seem counter-intuitive, since this key does not change the plaintext. However, note that an eavesdropper has no way of knowing if the key is 0` , so the fact that the ciphertext is the same as the plaintext in this case is really of no help to the adversary. 2