Manual Solutions to the practice questions for IS 303

BY Swalala Fortunatus J And Mkumbwa Braite University of Dodoma. (UDOM)

1. Describe how you would conduct a chosen plaintext attack against an affine cipher. I recall you that the goal of the attack is to find the e-key, which is the pair of numbers (, ). We can choose the plaintexts a (=0, in the numerical translation) and b(=1). The corresponding ciphertexts will be * 0 + = and respectively * 1 + = + . From here we immediately find and . 2. How many keys are possible in the affine crypto system? ( I remind you that in this system x is encoded by x + (mod 26).) Justify your answer. There are 12 possibilities for (because there are 12 numbers between 0 and 25 that are relatively prime with 26; note that this is (26), i.e., the Euler used in Euler Theorem) and 26 possibilities for . So, the number of keys is 12 * 26 = 312. 3. Alice and Bob are using the one-time pad cryptosystem. Suppose that the plaintext is 1011 0101 110 and the ciphertext is 0001 0110 111. What is the key If P, K, and C are respectively the plaintext, the key and the ciphertext, then P + K = C, where + is bitwise XOR. From here, we deduce that K = P + C. So K = 1011 0101 110 + 0001 0110 111 = 1010 0011 001 4. One reasonable idea for enhancing the security of a cryptosystem is to use double encryption. Thus Alice first encrypts the message m getting c_1 and then she encrypts c_1 obtaining c_2 which she sends to Bob. Suppose Alice is doing this using the Hill cipher. Is double encryption (with the Hill cipher) any safer than simple encryption? Say yes or no and justify your answer. No, it wouldnt be any safer. If K1 and K2 are the two matrix keys, then double encryption means that given the plaintext x, the ciphertext Y is obtained as Y = K2 (K1 x) = (K2 K1 ) x, so it is the same as single encryption with the key K2 K1.

5. Suppose that in the Baby DES cryptosystem we have been able to determine that the first 4 bits of K_3 are either 1100 or 0101 and the last 4 bits of K_3 are 1110. List all the possibilities for K. There are 2 possibilities for K_3. We still miss one bit of K. For the missing bit there are of course 2 possibilities. Thus in total there are 4 possibilities for K. Just follow the rules for determining K_3 from K. You will get the 4 possibilities for K. 6. Alice is sending a DES encrypted message to Bob, and one bit in block C15 is corrupted during the transfer over the network (all the other ciphertext blocks are correct). What blocks of the plaintext will be garbled when Bob is doing the decryption if a. Alice is using the ECB mode. From the equations for ECB, we see that just P15 (having 64 bits) is garbled). b. Alice is using CBC. P15 and P16 (in total 128 bits). c. Alice is using CFB. P15 and the next 8 blocks (in total 9 * 8 = 72 bits, remember that in CFB a block has 8 bits).

7. Alice wants to use quad-DES by doing four DES encryptions with two keys K1 and K2 using the formula C = E K1 (E K1 (E K2 (E K2 (P)))). Describe briefly how Eve can mount an efficient attack of the type known plaintext. Suppose Eve can do 256 simple DES encryptions/decryptions in about 20 minutes and also assume that doing double DES encryptions/decryptions takes two times the time for single DES encryption/decryption. How long it will take to Eve to break the new scheme proposed by Alice (ignoring the time for all other operations except DES encryptions/decryptions)? Justify briefly. We have D K1 (D K1 (C)) = E K2 (E K2 (P)). Using the method in the meetin-the-middle-attack, we build 2 tables, the first one with D K1 (D K1 (C)) for all possible K1, and the second one with E K2 (E K2 (P)) for all possible K2 and look for equal entries (matches) in the 2 tables. Building each table requires 40 minutes, because we need to do 256 double DES encryptions). To reduce the number of matches, we probably need to repeat this for another pair (P, C). So in total, we need to construct 4

tables, each requiring 40 minutes, which means that total time is about 160 minutes.
8. We are analyzing the security of the substitution cryptosystem, denoted as usual EK. (K is the key which in the case of the substitution cryptosystem is a substitution table). Suppose the message space M consists of all possible combinations of two letters from the English alphabet, in other words M = {aa, ab, ac, , zz}, and each message from M is equally likely to be sent by Alice. (a) What is Prob (M= aa)? (here M is a randomly chosen message from M). It is equal to 1/(26)2, because there are 262 possible 2-letters words that are equally likely, and aa is just one of them. (b) What is Prob (M = aa| EK(M) = bc)? (Here M is a randomly chosen message from M, and K is a randomly chosen key). This probability is 0, because the ciphertext has two different letters and thus, since substitution is used, it is not possible that the plaintext consists of the same letter repeated twice.

(c) What do (a) and (b) say about the security of the substitution cryptosystem? More precisely, is it perfectly secure?

Since the two probabilities are different, the definition of perfect security is violated. So the substitution cipher is not perfectly secure.

9. The alphabet of a certain language has only the 5 letters (0,1,2,3,4). Suppose the message `42 is encrypted with an affine cipher and the ciphertext is `12. (a) Find the key. (b) The ciphertext 3124 has been obtained using the key from (a). Find the corresponding plaintext. Solution. (a) Let the unknown key be (x,y). Since 4 1 and 2 2, we can form the equations 4x + y = 1 and 2x + y = 2 (the arithmetic is modulo 5). By solving the system of equations, we obtain x=2 and y = 3, so the key is (2,3). (b) Let the plaintext be x_1 x_2 x_3 x_4. We have the equations 2x_1 + 3 = 3, 2x_2 + 3 = 1, 2x_3 + 3 = 2, 2x_4 + 3 = 4, from which we obtain x_1 = 0, x_2 = 4, x_3 = 2, x_4 = 3. So the plaintext is `0423. 10. We encrypt with double Vigenere using for the first encryption the key k_1 = (1,3,5,7) and for the second encryption the key k_2 = (2,4). Show that this is equivalent to simple Vigenere encryption, and find the key for the single Vigenere encryption that is equivalent with double Vigenere encryption with the above keys k_1 and k_2.

Solution. One can see that if we split the plaintext into groups of 4 letters, each such group of 4 letters p_1 p_2 p_3 p_4 is encrypted to p_1 + 1 +2, p_2+3+4, p_3+5 +2, p_4+7+4. Thus, the equivalent key is (3,7,7,11). 11. The plaintext `friday is encrypted using the Hill cipher with m=2 to give the ciphertext `PQCFKU. Find the key K. (It is acceptable to write the key K as a product of two matrices without performing the multiplication or taking the inverse.) Solution. From the first 2 blocks of 2 letters, we derive (5 17) * K = (15 16) and (8 3) * K = (2 5) (everything is modulo 26). This can be rewritten as (5 17 } * K = (15 16 ) ( 8 3) (2 5) It follows that K = (5 17 }-1 (8 3) * (15 16 ) (2 5).

12. Suppose that you are informed that the plaintext `abccab has been encrypted with the Vigenere cipher and the corresponding ciphertext is `bbccab. What is the key length? Solution. Since the length of the plaintext is 6, the key length can be 1,2, 3, 4, 5 or 6. It cannot be 1, because if it were the two occurrences of `a would be encrypted as the same letter. It cannot be 2, because if it were, the two occurrences of `ab would be encrypted as the same group of 2 letters, which is not the case. It cannot be 3 for the following reason: if key length =3, since `cab is encrypted as `cab, it would follow that the key is (0 0 0). But in this case the first group of 3 letters, `abc, would be encrypted as `abc. It cannot be 4, because if it were, the two occurrences of a would be encrypted by the same letter. And it cannot be 5, because if it were the first a and the last b would be shifted by the same amount and thus their encryption would not both be b. So key length = 6. 13. The alphabet is {0,1,2,3,4}. The Hill cipher is used with m=2, and the key is the 2-by-2
matrix K = (4 1) (3 1) Encrypt the message `1 2 3 4.

Solution: ( 1 2) * K = (0 3) and (3 4) * K = (4 2). The ciphertext is 0 3 4 2.

14. Apply one round of the Feistel structure to the string P = 1111 1010 and the key K = 0110, where the function f is defined by f (R,K) = R + K (+ is bitwise XOR).

Solution: L_0 = 1111 and R_0 = 1010. The Feistel structure means that L_1 = R_0 = 1010 and R_1 = L_0 + f(R_0, K) = L_0 + R_0 + K = 0011. So after one round 11111010 is transformed into 1010 0011.