CIS 5371 Cryptography
Home Assignment 1 wt Answers
Due: At the beginning of the class on Feb 11, 2016
Exercises taken from the course textbook. Jonathan Katz and Yehuda Lindell, Introduction to
Modern Cryptography.
• 1.3 Consider an improved version of the Vigenère cipher, where instead of using multiple
shift ciphers, multiple mono-alphabetic substitution ciphers are used. That is, the key
consists of t random permutations of the alphabet, and the plaintext characters in positions
i, t + i, 2t + i, and so on, are encrypted using the ith permutation. Show how to break this
version of the cipher.
Solution: The first point to note is that Kasiski’s method for determining t works for this
cipher as well. The only difference is therefore in the second stage of the attack. Here, one
needs to build a frequency table for each of the t keys, and carry out an attack like on the
mono-alphabetic cipher. Given a long enough plaintext, this will work successfully.
• 1.5 Show that the shift, substitution, and Vigenère ciphers are all trivial to break using a
known-plaintext attack. (Assuming normal English text is being encrypted in each case.)
How much known plaintext is needed to completely recover the key for each of the ciphers
(without resorting to any statistics)?
Solution: For the shift cipher: given a single plaintext character p and ciphertext character c, the key is simply k = (c − p) mod 26. The encryption of only a single plaintext
character thus suffices to recover the key.
For the mono-alphabetic substitution cipher, given a plaintext character pi and corresponding ciphertext character ci , we can conclude that π(pi ) = ci (where π is the permutation
determining the key).
In order to fully determine the key, it therefore suffices to be given the encryption of a
plaintext containing 25 distinct letters of the alphabet. (Since π is a permutation, knowing
the value of π on 25 inputs fully determines the value of π on the last remaining input.)
Note that if normal English text is encrypted, however, much more than 25 letters will be
needed before 25 distinct letters occur. For the Vigenère cipher, each part of the key can
be recovered as in the shift cipher. Thus the encryption of t (consecutive) characters of
plaintext suces for recovering the entire key.
• 1.6 Show that the shift, substitution, and Vigenère ciphers are all trivial to break using a
chosen-plaintext attack. How much plaintext must be encrypted in order for the adversary
to completely recover the key? Compare to the previous question.
Solution: The attacks on the shift and Vigenère ciphers remain the same as in the previous
question. However, for the substitution cipher, it is now possible to use a chosen-plaintext
attack to ask for an encryption of a carefully chosen plaintext that contains 25 distinct
letters of the alphabet. Given the resulting ciphertext, it is then possible to fully recover
the key. Thus, less plaintext is required as compared to the previous exercise.
1
• 2.2 Prove or refute: For every encryption scheme that is perfectly secret it holds that for
every distribution over the message space M, every m, m0 ∈ M, and every c ∈ C:
P r[M = m | C = c] = P r[M = m0 | C = c].
Solution: We refute the statement by providing a counter-example. Let the set of plaintexts be {a, b} and consider the distribution where Pr[M = a| = 1/4 and Pr[M = b] = 3/4.
If we encrypt using any perfectly secret encryption scheme, we know that for every c ∈ C,
Pr[M = a|C = c] = Pr[M = a] 6= Pr[M = b] = Pr[M = b|C = c],
where the first and last equalities hold by definition of perfect secrecy. So the claim in the
exercise is not true.
• 2.3 When using the one-time pad (Vernam’s cipher) with the key k = 0` , it follows that
Enck (m) = k ⊕ m = m and the message is effectively sent in the clear! It has therefore
been suggested to improve the one-time pad by only encrypting with a key k 6= 0` (i.e.,
to have Gen choose k uniformly at random from the set of non-zero keys of length `). Is
this an improvement? In particular, is it still perfectly secret? Prove your answer. If your
answer is positive, explain why the one-time pad is not described in this way. If your
answer is negative, reconcile this fact with the fact that encrypting with 0` doesn’t change
the plaintext.
Solution: The modified scheme is not perfectly secret. To see this formally, consider the
uniform distribution over M = {0, 1}` . For any fixed message α ∈ {0, 1}` , we have
Pr[M = α|C = α] = 0 6= Pr[M = α].
This contradicts perfect secrecy. We conclude that in order to obtain perfect secrecy, it
must be possible to encrypt using the key 0` . This may seem counter-intuitive, since this
key does not change the plaintext. However, note that an eavesdropper has no way of
knowing if the key is 0` , so the fact that the ciphertext is the same as the plaintext in this
case is really of no help to the adversary.
2