here
advertisement
Chapter 7
11 5
.
1. Encipher the following message using
6 3
TWO PLUS TWO IS GREATER THAN FIVE, FOR SUFFICIENTLY LARGE
TWO.
13
2. Encipher the following message using 4
7
3
0 5 .
21 2
2
MY GIRLFRIEND’S GOT A GUN - I’LL SPEND THE REST OF MY
LIFE PLAYING HIDE AND SEEK1
3. Verify the keyspace for 2x2 matrix encryption. You may do this by either writing a computer
program to check the determinants of all possible 2x2 matrices to see which are invertible or by
applying the formula provided in Overbey, Jeffrey, William Traves, and Jerzy Wojdylo, On the
Keyspace of the Hill Cipher, Cryptologia, Vol. 29, No. 1, January 2005, pp. 59-72 Available
online at http://jeff.actilon.com/keyspace-final.pdf,.
4. Can every possible digraphic substitution be realized by matrix encryption? Hint: compare
keyspaces.
5. Verify the keyspace for 3x3 matrix encryption. You are strongly encouraged to solve this by
applying the formula provided in the reference given in exercise 3, although you may write a
program and patiently wait…
6. The unicity point for a random N-gram substitution cipher is .90 log(26N)!2 How do you think
this compares to that for encryption with an NxN matrix? Explain your reasoning. In chapter 10,
I’ll reveal a formula for computing unicity points and an exercise will ask you to go back and
calculate it for 2x2, 3x3, and 4x4 matrix encryption, but for now I want you to simply think
about it. Perhaps you’ll figure out the key component in the formula before it is unveiled!
even even
? Justify your answer!
7. Can an enciphering matrix have the form
even even
8. H. Gary Knight provided the following 2x2 matrix encryption ciphertext as his very first
problem for readers of his column in Cryptologia.3
QHDIW QQQEI WFRLI YLUIO WQUVC NQDHV SNTQV YRLEP RVMND ERMOA
1
From a song by The Lawndarts.
Deavours, C. A., Unicity Points in Cryptanalysis, Cryptologia, Vol. 1, No. 1, January 1977.
3
Knight, H. Gary, Cryptanalyst’s Corner, Cryptologia, Vol. 2, No. 1, p.72.
2
GTNFQ QGWBS TJXCR IWQUH PBQME XMTXH WFXJS ACOZA SPKGS PAOYV
NSJQK JXHZU PACAA I.
Prior to enciphering, Knight converted the letters to numbers using the assignments A=1, B=2,
C=3,… Z=26. He gave two probable words, SUBMARINE and OBSERVING, as hints. Feel free
to apply Levine’s attack or brute force a solution with a computer.
9. Levine’s attack depends on parity (even or odd). Is it significant (i.e., cryptanalytically useful)
that all vowels are even, if we start our numbering with A=0? We have A=0, E=4, I=8, O=14,
U=20, Y=24.
10. Using the assignments A=1, B=2, C=3,…, Y=25, Z=0, and a 3x3 matrix for encryption,
Levine obtained the following ciphertext message:
MIU GNJ WWU YHZ DNS WVK RFV LLK AMP IGS MIU
WKN OEM IEK ORW WAE KZB APL KYP MEU ZMO QIX
FHS SJI DDJ KFY BWW HQP KLI NKG TMJ ROB TZE
One typo has been corrected for reproduction here.
In the May 1961 paper4 where Levine detailed his crib attack, he provided the probable plaintext
THREE CONGRUENCES and showed how it may be used to recover the message. Go ahead and
do this without referring to the original paper. Note: in the 2x2 example there were 4 possible
forms, but for the 3x3 case, there will be 8.
11. Decipher the following message enciphered using a 2x2 matrix.
WVUQU
FPOJS
NJSMT
MAGKQ
URXJX
SBQAU
HSCZR
LXGWI
VXMEC
NUWBU
KWMJZ
UWVGH
LXLVH
FFUKU
EPKZO
UHSBY
UGEPR
JFIUM
IIGZR
QCEHA
FWORX
UMDWO
DTYET
AGKQN
FVVRE
JOSFG
KLYDE
OJCGM
DVNNL
XGWIF
TFAQK
PDDXL
PEIUR
SANSL
VBZVD
NOHJD
KVOYM
NMYUO
DYWML
ERTVD
WICOT
AKAWH
DFAIT
MDYMT
NKROF
VSBRD
YKQYV
FMTGV
UHESO
RDBHN
XGCEK
OKFNF
KICEO
OF
JOKFN
MWIRD
TNZXG
POJEI
UFPCE
TVTNP
GWKOE
CJVOG
HZJIR
YSEAL
UXADN
KMMUR
GENQX
PSFRS
KBDMZ
NQJJC
VNTNP
12. Decipher the following message enciphered using a 3x3 matrix.
WMUHC
ONHNG
PMYDP
BBGAV
ZNWRP
OMRKH
4
EIHVA
JRVCJ
TNCPO
SWDAG
UZSPJ
PRMAY
SFKJE
TNPXJ
XWGDL
EAKNA
OIGYZ
KVEJU
QSPMU
VKSSP
FCTMN
YKENH
OFVBS
EAHFB
VKXVY
AYWTM
MSWMG
OTJEK
VOMFU
FQDRU
UVILX
TXYDH
VWFPE
TZYUV
NXDGE
QMMET
AVNTF
YKMEB
VQQSF
QPTTN
CFZJR
MVXIT
CPRMK
ODHQD
YOPLF
PYBCI
TUTYN
GZAYW
Levine, Jack, Some Elementary Cryptanalysis of Algebraic Cryptography, American Mathematical Monthly, vol.
68, No. 5, May 1961, pp. 411-418.
UBDEX ZUNQV IKLFC EBXQL JVMKU IZUDR NQPXF GUHAA VBXYX CLKJG
LZKLS NCRRM XVNFT WBBTG JRPVA IMIYM EQUSM ZNBEP RTYAK YILXV
BWETL NVNPC RJXUQ YZCJE SBOEV YZMPU XJ
13. Decipher the following message enciphered using a 4x4 matrix.
OFQXB
XEFCX
HFWBR
MHTWR
ZHMST
DBVKL
JDCUG
NAWTE
XLZJJ
SGQRQ
VNFES
YQSJN
BETEK
TRCTZ
YQEVE
EVEHH
ZXGQM
VSJPT
PAMHI
ECKKW
PQYUE
VUSCN
FDKKT
LPYRJ
YIRAW
BOPHQ
XBMCX
DTYML
IHQBW
LNMRY
ZOZHY
YFAEL
LGOOW
REGTU
HWCGM
VHXSU
RIYWF
XMJRU
FPOMC
NCYZE
RWJQB
PAOWQ
WYAMQ
DGNTD
SCYEH
EEKQL
ULNPZ
QZOMH
SUPAD
GLXJR
CXQWA
IFXCH
PEQHT
NKOWH
ALYJB
LAQFG
IDYGH
XISGJ
UUAJK
YPPFP
WKVXX
WPYQB
QKQFJ
WMEWI
WIUHZ
IDJPJ
FRRGK
WGEVE
STFJM
TEJGK
DRPTV
E
NKZWA
RLEUB
QJZBC
CPJRU
ANDDO
CPLWF
RWJQD
EIOFG
QEHWQ
IKRGJ
ICMGB
ULSFE
KKWSV
IXEOX
KJAIT
DBSWY
14. How many plaintext/ciphertext pairs are needed to uniquely determine a 3x3 matrix? If your
answer is denoted by n, will any n pairs suffice? If not, what condition must hold to make them
sufficient?
Chapter 8
1. Suppose the following was presented as the plaintext/ciphertext generated by an Enigma
machine. Could the claim be true? Explain why or why not.
Plaintext: DERNATIONALSOZIALISMUSHATALLEWERTEZERSTOERT
Ciphertext: HEKIFHSLQOOFHECSMZHFVBDUTOPSKEFAJNDLRHEMDFS
2. Express the Atbash substitution cipher below using cyclic permutation notation.
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ZYXWVUTSRQPONMLKJIHGFEDCBA
Plaintext
Ciphertext
3. Express a Caesar shift of 3 using cyclic permutation notation.
4. For the commercial Enigma, we had
H:
Input
Output
ABCDEFGHIJKLMNOPQRSTUVWXYZ
JWULCMNOHPQZYXIRADKEGVBTSF
H-1:
Input
Output
ABCDEFGHIJKLMNOPQRSTUVWXYZ
QWERTZUIOASDFGHJKPYXCVBNML
Express each of these in cycle notation.
5. Find all possible factorizations of
AD = (UMJWBOKNZPVCL)(GFDAERIQSXYHT)
6. Find all possible factorizations of
AD = (UHEBVOKJSX)(QPRLAGDNFZ)(IWY)(MTC)
7. Given the following enciphered session keys, recover the permutations AD, BE, and CF.
ANX
BRF
CCL
DMQ
EIV
FUE
GBS
HPI
ISU
GBP
OXM
DFK
PLY
FMR
XKG
UWL
MDC
VHX
JGD
KZN
LFJ
MAT
NQB
OTM
PKR
QLG
RVH
JPA
IUT
LYH
NZE
SCF
HRJ
TIS
AON
WJO
SOA
TDP
UJZ
VXY
WEK
XYC
YHW
ZWO
RVZ
QQU
CTD
ZAI
BGW
YSQ
ENV
KEB
8. In Simon Singh’s The Code Book, he gives an example of what we called the permutation
product AD.5 It’s presented in a different format, but is equivalent to
AD = (AFW)(BQZKVELRI)(CHGOYDP)(JMXSTNU). What is wrong with this example?
9. In calculating the number of ways an Enigma plugboard can be wired, the identity
26
(2p – 1) (2p – 3) (2p – 5)(1) =
2p
26!
(
26
2
p
)!
(
2
p
)!
(2 p)!
p
p
!
(
2
)
was used. Prove that this is true.
10. In some systems, enciphering a message twice with distinct keys is no different than
enciphering once with some other (single) key. This is the case for any monoalphabetic
substitution ciphers, Vigenere ciphers, matrix encryption, and more. Is it the case for Enigma?
11. Is there a way to distinguish messages that have been enciphered twice with Enigma (using
two different keys) from messages that have only been enciphered once?
5
Singh, Simon, The Code Book, Doubleday, New York, 1999, p. 152.
Chapter 9
1. Complete the decipherment of the Red training exercise begun in this chapter. Warning! The
encipherer made several errors.
2. If the sixes alphabets and the twenties alphabets are all known for Red, but a given message
may start with any one of those alphabets for each group of letters, how many possible starting
positions are there altogether?
3. If the sixes for Purple are E, H, K, P, R, and S, what is the average frequency for the sixes and
what is the average frequency of the twenties? Base your answer on the frequencies provided in
Chapter 2.
4. If the sixes for Purple are B, D, K, N, S, and W, what is the average frequency for the sixes
and what is the average frequency of the twenties? Base your answer on the frequencies provided
in Chapter 2.
5. From the Purple ciphertext below, determine the sixes and twenties.6
NHSG
AUVY
OAOD
WAKH
QYWG
CHBD
JLXE
ZISJ
GESH
QHBO
PYOE
VHRZ
XIEE
EYHO
EQNA
EUMS
EEOQ
X
DZAQ
VHHV
XXOQ
WEHM
YSOV
NUAA
QFNU
KSYQ
RQZH
IBSO
OTSR
AHYK
EOCD
GOSS
ZNYF
GFNQ
ZRAR
SEVG
ONTO
CATO
TXQE
SHPS
TONE
LOWL
AXDS
RROJ
JEAI
QSSH
HTZR
NZFG
IWON
STOE
SZOW
EOCE
MAES
HNNN
UEOP
JHLH
EWNH
CYDN
SOIS
KNSO
QARC
EOLE
VANN
SCGM
OHTA
MEVA
BNSC
AOLE
BONZ
VESH
BMEM
AHEF
EMEL
ASKM
BDSI
AOOJ
OVHO
EBEB
UTON
SXEV
EUEA
AKSO
AJCL
CVSQ
MHUS
KNQN
AJGL
IHUL
DOEV
EIJU
AJAK
MOQK
HOAI
PEDA
THGD
OLEO
AOHE
LSRE
CODA
POEB
OHDA
OZGO
EHMN
AOMZ
IVOE
EHES
AVAN
TIPB
HNNY
WMNC
PSFO
EOOG
SNAJ
TSSL
NYNF
AANH
RAWZ
ERSS
UEFU
LODA
OFBE
ENSC
AEMA
PADN
JRXR
SHNN
UHZB
DXPP
MUAC
AAXX
CKBW
EHKL
SGHE
OMWQ
QCVJ
SCES
NHKX
EBFG
SOAO
TSAR
KESG
HDZO
FTBS
NMZO
XSAA
VHDD
HUMH
AMAO
HEFA
OSOZ
AZHX
HJOZ
IEES
HNUN
OLOQ
HPDN
YFNA
ESLH
DBSP
GXAC
NUUN
ETZO
HQYN
XCLE
LHOB
KZWS
EHWX
GTIF
GOZH
ZGAA
FFNK
ITEB
HPAH
DHXT
OJSS
TGIG
MSLG
SZOO
ISMV
AZOJ
RSSA
AKTR
QSPC
YNNE
HPXE
AKAO
LSSA
IBVN
ZAET
ZHNH
OHSJ
ONOO
ESZS
DSHJ
SANJ
AWHT
HONO
QAWY
BJTD
CLAN
IHPO
HYME
RXAX
UTSB
HESD
QAHE
QHES
OHJA
IBUS
HDLN
OSOA
ESEZ
HZES
EQNC
FHHS
XOEV
PKOL
WIEH
NEAE
NROL
AEMG
FOGE
6. From the Purple ciphertext below, determine the sixes and twenties.7
RCDK HBYM KDEU RYQX HJZZ BQGO XRSR ETYP NZFQ COBA EHYQ YCNJ XKED
HTJU TWSP HJQQ BPYK KSOZ XCEQ BLJH XTSW QUPR QXMJ KBEA NUMG QHIE
EVQZ IPBF BUZY SKFR WEDZ MKWS RVSM PKGG NZQK NLYH FSSB AKCG CEAI
6
7
Encrypted using the Purple simulator available at http://cryptocellar.org/simula/purple/index.html.
Encrypted using the Purple simulator available at http://cryptocellar.org/simula/purple/index.html.
YRET
SOTE
SXUY
RAWM
DTFC
YULQ
SSXO
YEZH
ZURW
MBJB
LCMP
XLGN
ARBW
GEDD
KEUU
KYQK
KZEF
JNEL
RLSN
HETG
JEFQ
MLCK
WNVN
ENZX
KYOR
IKKJ
AOYN
QVBR
RNDY
AMKM
HNJT
OHHG
QZRE
WBNS
WESA
NVEM
XTEV
KIUS
XVHS
WYOO
EFBL
KMGA
KAAQ
OGJQ
LYWL
TJMC
SIQY
YKCO
VSHX
JKKW
LKZQ
YESY
TIJS
SVVI
SBLA
DUGN
TZTU
VEWB
NSUQ
HDUQ
NFIH
DZIE
YWTC
SSTS
DSQZ
WMOQ
ZLQO
VILV
NVGQ
OYOM
SBCK
XHOX
PCFE
AEGY
DDUJ
WOJF
NAMZ
MHZM
EDOM
EQKC
MMBU
LUDX
GFWM
NLAL
KMAV
JPMQ
KTWA
VNSP
ZCUG
UDKZ
RUNP
VKDY
ONNE
UHQT
NRGM
XETA
HPRN
CHWO
HCRJ
EQQZ
ZNYG
HVRW
NBNQ
CQKY
AKNN
PIAG
CAAF
MSHV
HWDK
E
NUQK
JCPQ
URPL
VSYC
HVME
VZKC
OGBB
ZGDH
HTHI
XVCH
XINH
JKQG
QMBB
VKHC
VSFJ
NCFP
MAZK
NNTQ
RFSR
DGMD
EOGH
JGOC
QOHM
XLUU
FQIY
AUQN
GNOS
NSOO
HJVU
XJKZ
KKWK
WKAR
HFOV
HYDN
BVMH
MQEN
QDDN
FVTM
GBCF
HOZX
SPGX
DJIK
UFRH
VHHQ
QZGD
JCUY
LJJE
FEPE
RDWP
OCUX
FKPZ
MQHY
PXJN
OLUH
HNSU
ENDA
PICK
DGPP
SXUD
IQDB
EQWF
BKXB
KJRB
HQMC
EAMP
XASZ
HLDR
SNIG
LAQM
WDNA
UBES
MOPJ
ORNQ
FTMH
XNUH
QDGO
QGBI
NTAL
KKQW
LMBT
QKWQ
DAZO
JHQK
MKWQ
YKZS
JBKF
BGAZ
PEQP
NKVR
GQJL
MIXW
OIEB
SFRD
INQK
EVXE
RBIE
NEXV
SQAE
ASQU
EKWJ
FCZU
NGQH
CUHA
CMYD
ZKQU
ENFL
NTWZ
SKOG
YYWS
TXKN
BHEB
ERPN
SKIQ
KHTE
PRWP
ASZM
SIXI
FYKK
GYCG
SWWC
IIWB
AEBP
HOGY
UCRB
GTBC
SQIF
FOTR
WEMJ
BTFE
THEF
IKZE
SSYM
KNBB
KLXK
XEBB
AQOK
GEXT
WWPL
QPKU
MTSQ
NHFO
BAQE
HELF
VNIF
NOHL
QKIA
DQKH
KWVT
OVRS
MVCZ
SJHH
EIKC
KZGD
GWRV
RFNE
ALKD
XIOQ
ZQJK
SJES
LKPR
IALI
YSKC
HOLC
KZHA
QMFN
EIMJ
VGUC
AFOE
7. Select the sixes in such a way that their average frequency is as close as possible to the
average frequency of the twenties. Would this be desirable?
8. If you have a known plaintext and the corresponding ciphertext in Purple, and the sixes were
chosen to be the vowels, how many of these vowels would have to be present (at a minimum) in
the messages to uniquely determine all 25 substitution for the sixes? Is there a maximum value?
Using the minimum, and the average percentage of vowels in a given message, what is the
expected length of the message needed? For the sake of this problem, assume that the message is
in English.
9. Suppose you have determined that the sixes for a Purple message are given by E, Q, A, D, R,
and H and the partial decipherment of a message is
Ciphertext
Message
BRAXEFQCEVQOOXHECFDLNHQRVQPPLCERP
-HE-A-A-E-E---ER--E--REQ-E----HA-
Use context and word patterns (not math!) to fill in the missing letters. To make the exercise
easier, the plaintext is in English.
10. Suppose you have determined the first ten cycle 1 alphabets for the Purple machine and the
first cycle 2 alphabet. Your results appear below. Assume the machine is in a configuration such
that the second pattern observed by Genevieve Grotjan holds and use this pattern to determine
alphabets 2 through 10 for cycle 2.
Cycle 1
Alphabet
1
2
3
4
5
6
7
8
9
10
WHFXDYRZGJSINTKABUCPQLEMVO
YKGFWCSINBPZDQHORTXJUMAVEL
LWZBRSMTIUPDFHACVNGXJYQKOE
NELCIVAYUSPXKQFZTGJWBRODMH
NTYKGJCZXUBPFVMQLRDOASEIHW
LOTEUJGKIHMYZBXVNRQAFDCSPW
WCXULRGPNVIDMOETZAJHFYQSBK
GPZIARVTKQHUEWJXSNOLBFYCMD
XGFETNDIZHPJRLYAOCKSVMBUQW
BFMWGXJIOCVDUQEPNAYZSTLHKR
Cycle 2
Alphabet
1
IVSFNBWXMYQUTPOGDKHZJRACEL
10. Repeat the previous exercise, but this time assume the machine is in a configuration such that
the first pattern observed by Genevieve Grotjan holds.
11. How could you change Purple to make it more secure?
Chapter 10
1. Calculate the first order entropy, H1, of the following passage from A Clockwork Orange:
“Our pockets were full of deng, so there was no real need from the point of crasting any
more pretty polly to tolchock some old veck in an alley and viddy him swim in his blood
while we counted the takings and divided by four, nor to do the ultraviolent on some
shivering starry grey haired ptitsa in a shop and go off with the till’s guts. But, as they
say, money isn’t everything.”
As this novel was set in the future, the value ought to be a bit higher than it is now. If it isn’t, try
to explain why!
2. Have someone else select a sentence from a book so that you can guess at each letter until
correct. Keep track of the number of guesses and use the result to estimate the entropy of the
text. To be fair, the sentence selected should not be one you are already familiar with! If you
recognize the line, start over with a new sentence.
3. What happens to the maximum possible entropy of a language when more characters are
introduced?
4. Calculations for the first order entropy of English may be made using the standard 26 letter
alphabet or based on a 27 symbol alphabet that includes the blank space between words as a
character. If we use this larger character set, should the value we obtain for H1 be larger or
smaller?
5. Will the first order entropy of a plaintext message change if it is enciphered with a
monoalphabetic substitution cipher? How about the second order entropy?
6. Suppose a long message has been enciphered using matrix encryption. How could we use
entropy calculations to determine the size of the matrix that was used?
7. What is the unicity point for 2x2 matrix encryption? What is it for 3x3 matrix encryption?
How about the 4x4 case?
8. Bearing in mind that entropy measures disorder in a language, why do estimates of it using
larger groups of characters (i.e., digraphs and trigraphs, as opposed to single characters) yield
lower values?
9. How many possible meaningful keys should you expect there to be in English for a message
10 letters long that was enciphered using a running key cipher?
10. Shannon estimated the redundancy of English to be 50%. One method he referred to that
yields this value is the ability of people to restore English sentences with half of the letters
removed. Which of the following can you reconstruct?
a. OU ETTE WTC WHA YOU AY ABUT MY AR
(26% removed)
b. THS SNTNC HS N VWLS
( 35% removed)
c. OE F Y AOIE ORR OES S ILD H HPY A
(50% removed)
d. I RAIG S AE UH AIR Y H PEEC O RDNAC
(50% removed)
e. BTA WS OE TE OT OUA CMC OK HRCE O
TE WNIT CNUY
(50% removed)
f. SIIT WO A H TM T IE OK EPAN TR
OK H GRL UC R IG GE EVC TI I TN
HR E ON N TE NPRO T PRU SNE HEVS
(60% removed)
11. Suppose the value of H1 for English continues to increase and that at some point in the future
it reaches 4.5. At that point, what percentage of letters may be deleted from a typical English
sentence without preventing the message from being recovered?
12. What effect does doubling the number of keys in a system have on the unicity point of a
cipher?
Chapter 12
1. Suppose that just prior to heading into the S-boxes, you have the following string of bits
010100000110101100111101000110110011000011110101. What will the result be
immediately after going through the S-boxes? That is, complete the example begun earlier in this
chapter.
2. Suppose that just prior to heading into the S-boxes, you have the following string of bits
000110010010111011010110110100111000110110000111. What will the result be
immediately after going through the S-boxes?
3. If the result immediately after passing through the S-boxes in some particular round is
10111001101101011100110101001010, can you uniquely determine the bit string that
entered the S-boxes in that round?
4. The initial permutation applied in DES is a far from random reordering of the bits. Produce
terse computer code to accomplish this permutation.
5. If we were to add a 17th round, what would that round’s key look like?
6. Suppose you consider an n bit key to be just barely secure, for a specific value of n. That is,
you don’t believe a brute force attack is realistic, but you wouldn’t be comfortable with a key
any smaller than n bits. Moore’s law predicts that the number of transistors that can be fit per
square inch on integrated circuits doubles every two years. If we also factor in the fact that
transistors are becoming faster, we get the result that processing speed doubles every 18 months.
Because of limits imposed by physics, this cannot continue forever, but suppose it continues for
the next ten years. How many bits should your key be increased by, if you want it to remain just
barely secure ten years from now?
7. Complete the encipherment of the Richard Feynman quote using Levine’s method.
8. Show how the plaintext could be recovered from the ciphertext you found in exercise 4. Apply
your technique to the first three ciphertext blocks to verify that it works.
9. In Cipher Block Chaining mode, must the Initialization Vector be kept secret or can it be
revealed without compromising the message?
10. In Cipher Feedback mode, must the Initialization Vector be kept secret or can it be revealed
without compromising the message?
11. Using the same Initialization Vector for two different messages (under the same encryption
key) in Cipher Feedback mode would be bad. Why?
Chapter 13
1. Ask your bank what sort of encryption is used in your internet transactions. You may get an
answer such as “128 bit encryption.” Without knowing the algorithm, this tells us almost
nothing. Try to find out which algorithm is used.
2. In the back and forth mailing scheme that was described to allow communication using
classical systems without prior key exchange, I claimed that some of the systems described in
Book I would work. For each of the following explain why it would or would not be usable in
this manner.
a) Caesar shift
b) Vigenère
c) Playfair
d) Matrix Encryption
3. Use the Euclidean algorithm to find the greatest common divisor (GCD) of 294,906 and
178,549. Also, find integer multiples of these numbers whose sum is the GCD.
4. Use the Euclidean algorithm to find the greatest common divisor (GCD) of 219,828 and
275,912. Also, find integer multiples of these numbers whose sum is the GCD.
5. Use the Euclidean algorithm to find the greatest common divisor (GCD) of 875,156 and
12,576. Also, find integer multiples of these numbers whose sum is the GCD.
6. Use the Euclidean algorithm to find the greatest common divisor (GCD) of 98,545 and 47,521.
Also, find integer multiples of these numbers whose sum is the GCD.
7. Use repeated squaring to compute 5100 mod 26.
8. Use repeated squaring to compute 74845 mod 391.
9. Use repeated squaring to compute 66452 mod 817.
10. Use repeated squaring to compute 221007 mod 1479.
11. Use repeated squaring to compute 86243 mod 87. Can you find a quicker way to do this one?
12. Look back at the example used in this text for RSA encryption. Did Bob correctly encipher
the first three blocks? Use repeated squaring to check his work.
13. Find 541-1 mod 8692.
14. Find 122-1 mod 761.
15. Find 362-1 mod 2547.
16. Find 47-1 mod 1258.
17. Try to find 230-1 mod 6752. What’s going wrong?
18. Calculate φ(4), φ(8), φ(16), φ(32), φ(64), and φ(128).
19. Calculate φ(9), φ(27), φ(81), φ(243).
20. Based on your answers to Exercises 18 and 19, form a conjecture for the value of φ(nm).
Does your conjecture work for φ(42) and φ(43)? What about for φ(52) and φ(53)? For what values
does your conjecture seem to work?
21. Suppose n = pq, where p and q are distinct primes. Prove that (n) = (p–1)(q–1). Hint: Don’t
count how many integers less than n are relatively prime to n, but rather how many have a
divisor in common with n, and then subtract this from the total. The numbers that have a
common divisor with n will be the multiples of p and q.
22. Prove the conjecture you made in answer to Exercise 20 for the kind of values for which it
appears to work.
23. Let p = 19, q = 29 and e = 215. Encipher the message M = 15 using the RSA scheme. Now
decipher your ciphertext to make sure you get 15 back.
24. Encipher the following quote from Whitfield Diffie using e=535 and n = (1009)(1033) =
1042297. “Two people can work on a problem better than one.” Use groups of six numbers for
the plaintext blocks.
25. The example supplied to Martin Gardner by the M.I.T. professors for his historic article in
Scientific American used the text ITS ALL GREEK TO ME, an enciphering exponent of 9,007
and the modulus
1143816257578888676692357799761466120102182967212423625625618429357
06935245733897830597123563958705058989075147599290026879543541, which was found
by multiplying a 64-digit prime and a 65-digit prime together. Generate the ciphertext yourself
by converting the message to a single number (it will begin 09201...), raising it the given power,
and moding out by the large modulus. Hint: use technology!
26. Go to www.google.com and do a search for 3^6 mod 5. What happens? Next try M^e mod n
using various integer values for M, e, and n. For what size values does Google return answers?
27. Key sizes are often stated in bits, even for a system such as RSA, where part of the key is the
modulus. I used base ten numbers throughout this chapter of the text. What is the approximate
relationship between the number of decimal digits in a modulus and its length in bits?
28. Typically the primes multiplied together to form the modulus for RSA are of about the same
size. Can you find a reason for this?
29. How might the large primes needed for RSA be found? Would it be a good idea to obtain
them from some table of large primes?
Chapter 14
1. If n = 3713 = pq, and φ(n) = 3588, find p and q.
2. If n = 4386607 = pq, and φ(n) = 4382136, find p and q.
3. If n = 63573413 = pq, and φ(n) = 63557280, find p and q.
4. Can problems like 1, 2, and 3, above, still be easily solved (with technology), if the primes
involved are over 100 digits long? Justify your answer. These problems are intended to illustrate
why φ(n) must be kept secret.
5. If gcd(C,pq) 1 in RSA, show that you can factor n and hence find d. Show that the
probability of gcd(C,pq) 1 is (p + q – 1)/n = 1/p + 1/q – 1/(pq).
6. Suppose Alice uses e = 3 and Bob uses e = 4 and both use the modulus n. If the message M is
sent to both Alice and Bob, explain how Eve, having intercepted both copies, can read the
message without factoring n.
7. Does your explanation for question 6 still work if Bob changes his e value to 5? Can you
modify your answer, so that Eve may still recover the message?
8. The team that factored RSA-576 earned $10,000. Look up two values 1) the number of
computing hours the team needed to accomplish this and 2) the minimum wage in 2003. Once
you have these figures, multiply them. If the team had to pay the computers for their time, would
they have any prize money left over for themselves?
9. Use the Sieve of Eratosthenes to find all primes less than 300.
10. Use Fermat’s method to factor 551.
11. Use Fermat’s method to factor 1617.
12. Use Fermat’s method to factor 12213.
13. Use the fact that 221 = 102 +112 = 142 + 52 to factor 221.
14. Use the fact that 1073 = 72 +322 = 172 + 282 to factor 1073.
15. Can any prime numbers be expressed as the sum of two positive numbers squared?
16. Can any prime numbers be expressed as the sum of two positive numbers squared in more
than one way?
17. Fermat number’s were alluded to in this chapter. They are numbers of the form
Fn 22 1 . Fermat incorrectly conjectured that they were all prime. He wasn’t often
n
wrong! Can you determine which is the first Fermat number to be composite? Euler was the first
to answer his question. He didn’t use a computer, but you may.
18. In the 1870s, William S. Jevons described in his book The Principles of Science: A Treatise
on Logic and Scientific Method how multiplication is easy, but factorization is much harder. He
went on to ask
“Can the reader say what two numbers multiplied together will produce the number
8,616,460,799? I think it is unlikely that anyone but myself will ever know.”
Use Fermat’s factorization method (along with a computer program or a spread sheet such as
Microsoft Excel) to prove Jevons was wrong.
19. It took F. N. Cole “three years of Sundays” (ending in 1903) to prove that 267 – 1 is not prime
by finding the factors.8 Use modern technology and one of the algorithms described above to
find the factors yourself.
20. Factor 236273 using Dixon’s algorithm.
Chapter 15
1. The prime number theorem states that the ratio of (n) to n/ln(n) converges to 1 as n
approaches infinity. In other words, the percent error goes to zero. What happens to the absolute
error?
2. Use Fermat’s test with three different bases (or less, if it fails a test!) to decide if 629 is
probably prime.
3. Use Fermat’s test with three different bases (or less, if it fails a test!) to decide if 727 is
probably prime.
4. Is 561 prime? Investigate by first applying Fermat’s test with base 2, and then by applying the
Miller-Rabin test with base 2.
5. Apply the Miller-Rabin test with two different bases (or just one, if it fails the test!) to decide
if 941 is probably prime.
8
Ribenboim, Paulo, The New Book of Prime Number Records, third edition, Springer, New York, 1995, p. 163.
6. Apply the Miller-Rabin test with two different bases (or just one, if it fails the test!) to decide
if 1909 is probably prime.
7. The chance of a composite number passing a Miller-Rabin test with a randomly chosen base is
less than ¼. How many independent tests should be done to guarantee the chance of the number
being composite is less than .000001?
8. Would S = {2, 8, 16, 22, 52, 103, 211, 450} be an acceptable choice for a small knapsack?
9. Would S = {3, 9, 23, 75, 239, 548, 1298, 2459} be an acceptable choice for a small knapsack?
10. Finish enciphering WELL DONE, this chapter’s example for the knapsack cipher.
11. Use the knapsack S = {2, 4, 9, 19, 38, 75, 155, 324, 1255, 2521, 5033, 9514, 20161, 40327,
80644, 161299} with the multiplier m = 5837 and the modulus n = 323760 in the scrambled
order 6, 11, 1, 16, 10, 7, 3, 14, 9, 8, 12, 4, 15, 2, 5, 13 to encipher MERKLE, two characters at a
time, using the ASCII coding scheme.
12. Use the knapsack S = {3, 5, 9, 20, 41, 83, 165, 333, 672, 1342, 2679, 5353, 10722, 21475,
42907, 86103} with the multiplier m = 8539 and the modulus n = 175326 in the scrambled order
10, 1, 13, 15, 8, 9, 16, 6, 5, 7, 14, 2, 12, 4, 11, 3 to encipher BOMB, two characters at a time,
using the ASCII coding scheme.
13. Suppose Alice’s public Elgamal key consists of p = 2741, g = 43, and A = 55. Use the
encoding scheme applied in the Elgamal example in this chapter and the key k = 14 to encipher
MATH, two letters at a time. If you want to check your work by deciphering, Alice uses a = 25.
14. Suppose Alice’s public Elgamal key consists of p = 2789, g = 65, and A = 2041. Use the
encoding scheme applied in the Elgamal example in this chapter and the key k = 23 to encipher
CRYPTO, two letters at a time. If you want to check your work by deciphering, Alice uses
a = 19.
15. Decipher the following Elgamal ciphertext by using p = 3019 and a = 13.
First pair of letters: C1 = 1093
Second pair of letters: C1 = 1093
C2 = 633
C2 = 2451
Note: C1 is the same or both pairs of letter. All this indicates is that the sender used the same key,
k, for both.
16. Decipher the Elgamal ciphertext given below by using p = 3083 and a = 37. The message
will be the name of a band. If you haven’t heard of this band, it might just look like random
letters!
First pair of letters: C1 = 376
Second pair of letters: C1 = 445
C2 = 3069
C2 = 2279
Unlike the previous exercise, the C1 value changes from the first pair of letters to the second.
This indicates that the sender used a different key, for the second pair.
Chapter 16
1. Alice wants to send Bob the signed and enciphered message M = 72. If Bob’s public key is
eB = 17, nB = 3293, and Alice’s private key and modulus are dA = 31, nA = 5063, what value
should Alice send?
2. Alice wants to send Bob the signed and enciphered message M = 49. If Bob’s public key is
eB = 41, nB = 4747, and Alice’s private key and modulus are dA = 11, nA = 6667, what value
should Alice send?
3. Suppose you work at a company where everyone is given a different RSA key pair, but they
all share the modulus n = 143. Your public/private key pair is eM = 13 and dM = 37. Alice’s
public key is eA = 47. Use Attack #13 to find a private key that will allow you to impersonate
Alice. Like other exercises, the numbers here are kept unrealistically small. This greatly eases
the calculations involved and allows you to check your result by factoring n and calculating (n),
to see what values will serve as inverses for eA modulo (n). Attack #13 will work for larger
moduli, where factoring isn’t feasible.
4. a) What would you send to convey the message M = 95 using an Elgamal signature if
p = 2687, g = 22, a = 17, s = 54, and the random enciphering key for the message is e = 73.
b) Now pretend you are the intended recipient and check the validity of the signature. Note that
the recipient wouldn’t know s, but v = gs = 678 would be made public by the sender.
5. Suppose the message M = 39 arrives with the Elgamal signature S1 = 1283, S2 = 165. Use
p = 2687, g = 22, and v = 678 to determine if the signature is valid.
6. Suppose a password p is enciphered via the rule
C = (216)(p) (mod 1019 – 1).
If C = 8353277155099344942, what was p?
You should solve this problem by first calculating the multiplicative inverse of
216 (mod 1019 – 1).
7. Key generation for DSA was done in this chapter by picking a prime q and then testing 2q + 1
for primality. If q must be 100 digits long, how many different prime values would we have to
test, on average, to find one such that 2q + 1 is also prime? You may estimate this value by using
the prime number theorem from chapter 15. Don’t concern yourself about whether or not a
number of the form 2q +1 is more or less likely to be prime, if we know q is prime. Simply find
what percentage of numbers of this size are prime and use this fact (in conjunction with the
observation that 2q + 1 is always odd) to get your answer.
8. For DSA, the two primes q and p are often taken at 160 and 512 bits, respectively. If q is
generated first and we test numbers of the form kq + 1 for primality to find p, how large should k
be? Remember, a one bit increase in length doubles the size of the number.
9. A method for finding the two primes, p and q, required by DSA was given by Alexander W.
Dent and Chris J. Mitchell in User’s Guide to Cryptography and Standards. It follows below.
“Randomly generate a large prime number p, known as the modulus. The modulus p
should be at least 512 bits long…. Randomly generate a large prime q such that q divides
into p – 1. The prime q is known as the order and should be at least 160 bits long.”9
Explain why this technique would be more time consuming than the method I suggested. Of
course, it is more important to generate the primes securely (i.e., as randomly as possible) than
quickly.
10. Verify the claim made in the DSA example that the message cannot be changed from D to C
without detection.
11. a) Use DSA to generate a signature for the message M=21 using q = 97, p = 971, g = 169,
s = 35, v = 141, and k = 8. Let the hash function simply take M to M, since M is small.
b) Verify that the signature is valid.
12. Suppose the message M = 75 arrives with the DSA signature S1 = 58, S2 = 79. Use
q = 97, p = 971, g = 169, and v = 141 to determine if the signature is valid.
Chapter 18
1. Iterate the LCG Xn = (9Xn – 1 + 4) (mod 26) starting with the seed value X0 = 5. Don’t stop
until you reach the seed again.
2. Iterate the LCG Xn = (11Xn – 1 + 6) (mod 26) starting with the seed value X0 = 8. Don’t stop
until you reach a value that was previously obtained.
3. Consider an intercepted ciphertext that begins 13 19 30. You happen to know that it was
enciphered with an LCG having the form Xn = (aXn – 1 + b) (mod 67). You are fortunate to know
the modulus, but you do not know a or b. There is a seed X0 that was used to start the LCG, but
X0 was not used for enciphering and you do not know its value. The first three characters were
enciphered by adding X1, X2, and X3 to their numerical values using the scheme A = 0, B = 1,
Dent, Alexander W., and Chris J. Mitchell, User’s Guide to Cryptography and Standards, Artech House, Boston,
Massachusetts, 2005, p. 143.
9
C = 2,… Z = 25 without any further modular arithmetic. Assuming the first three characters of
the message were THE, recover the values of a and b.
4. The attack made in exercise 3 would take longer without a crib. Assume the message is 50
characters long.10 How could a brute force attack on the first three plaintext letters be carried out
to reveal the correct values of a and b?
5. Use the LFSR pictured below with initial seed 1010 to generate a full period of bits. What
length is this period?11
6. Can we get a maximal period from an LFSR by tapping an odd number of bits? Hint: consider
whether or not the tap polynomial is reducible modulo 2.
7. Will the LFSR represented by the tap polynomial p(x) = x3 + x2 + 1 yield a maximal period?
8. Find a way to tap a shift register of length 5 to get a period of 31.
9. Determine the tap polynomial for each of the LFSRs used in A5/1.
10. Suppose an LFSR of the form bn+4 = a3bn+3 a2bn+2 a1bn+1 a0bn, where each of the ai is
either 0 or 1, produces the following stream 01101011. Determine the values of the ai.
11. In A5/1, assuming that 0s and 1s are equally likely for each of the clocking bits, what is the
probability in a cycle that the first LFSR will advance? Note: the answer would be the same if
the question were posed for the second or third LFSR.
12. The following appeared as a challenge to Cryptologia readers in 1978. James Reeds broke it,
can you?
The following scheme was used to generate a stream cipher:
Xn+1 = QXn (mod p) with Q = 75 = 16,807, p = 231 – 1, and X0 some positive seed value less than
p.
To get the numbers above in the desired range, we plug the number we obtain (now called R)
into the formula r = 1 + [(N)(R)/(231 – 1)], where N is the desired upper bound and [ ] denotes
the greatest integer function. In the challenge, N=257.
There’s nothing special about 50 here. It merely indicates that we have a fair amount of text following the first
three characters.
11
Image from http://homepage.mac.com/afj/lfsr.html
10
The scheme uses the APL character set (different from ASCII!), which is defined (in part) by
(blank)=65
A=66
B=67
Y=90
Z=91
Encryption is carried out by Ci = 1 + (Pi + ri – 1) mod 256.
Every so often the seed is changed and the difference equation generates numbers anew.
105 110 40 237 208 160 8 66 122 199 12
95 184 188 33 218 145 221 184 243 105
221 69 244 71 47 237 133 154 215 55 123
55 9 127 63 155 32 174 118 25 162 59
181 82 10 248 162 110 171 15 125 209 5
29 178 172 106 229 118 202 90 191 186 162
The challengers provided the following information:
“The plaintext message contains only letters and blanks, and does contain the words CAFE and
PAKISTAN. The number of seeds chosen was greater than 1, but less than 10.”12
Chapter 19
1. Use Hasse’s theorem to find bounds for the number of points on an elliptic curve modulo 883.
2. Use Hasse’s theorem to find bounds for the number of points on an elliptic curve modulo 547.
3. Use Hasse’s theorem to find an upper bound on the smallest prime modulus that will yield at
least 1000 points for any elliptic curve.
4. Use Hasse’s theorem to find an upper bound on the smallest prime modulus that will yield at
least 5000 points for any elliptic curve.
5. We represented 100P as 2(2(P+2(2(2(P+2P))))), so that the multiplication could be performed
more quickly. Find similar expressions for
a) 108P
b) 76P
12
Names Withheld, Encryption Challenge, Cryptologia, Vol. 2, No. 2, April 1978, p. 171.
c) 65P
d) 29P
6. Verify that 5(14, 15) = (8,8) for the elliptic curve y2 = x3 – 2x + 3 (mod 29).
7. Verify that (12, 5) + (8,8) = (15, 19) for the elliptic curve y2 = x3 – 2x + 3 (mod 29).
8. Find all solutions to y2 = x3 + 2x + 5 (mod 11).
9. Find all solution to y2 = x3 + 3x + 7 (mod 13).
10. The Rijndael S-box sends 59 to 226. Verify that the polynomial inverse / matrix method
achieves the same result.
11. The Rijndael S-box sends 228 to 105. Verify that the polynomial inverse / matrix method
achieves the same result.
12. Explain why the Rijndael S-box could not be defined by sending every byte to its inverse
modulo x8 + x4 + x3 + x, followed by the matrix multiplication. Hint: the modulus was changed
in a small, but significant, way.
13. Use the extended Euclidean algorithm to find the inverse of x5 + x3 + 1 modulo
x8 + x4 + x3 + x + 1.
14. Use the extended Euclidean algorithm to find the inverse of x6 + x5 + x4 modulo
x8 + x4 + x3 + x + 1.
15. When deciphering, to undo the MixColumns step, we need to multiply each column by
d(x) = 11x3 + 13x2 + 9x + 14. Represent this operation in terms of matrix multiplication, just as
was done for the enciphering step using c(x).
16. Calculate RC10, RC11, and RC12.
17. Calculate RC13 and RC14.
18. How long would it take to break AES by brute force, on average, if a billion keys can be
checked every second? Suppose an attack is found that’s a thousand times better than brute force.
How long would it take now?
