Documente Academic
Documente Profesional
Documente Cultură
2015
Assignment 1
1. Briefly explain that monoalphabetic substitution cipher is vulnerable under frequency analysis.
Solution:
Monoalphabetic substitution cipher: A monoalphabetic cipher uses fixed substitution over the
entire message, whereas a polyalphabetic cipher uses a number of substitutions at different positions
in the message, where a unit from the plaintext is mapped to one of several possibilities in the cipher
text and vice versa.
Frequency analysis: frequency analysis is the study of the frequency of letters or groups of letters
in a cipher text.
When we process the cipher text by frequency analysis, we could easily decipher it as the frequency
of English alphabets is already known. The frequency of letters is as follows:
E 12.7, T 9.1, A 8.2, O 7.5, . . .
Method:
1. From the given cipher text find the frequency of each letter.
2. Find the frequency of 3 letter, 2 letter words.
3. First replace them by guessing, by this time we would have got some letters.
4. Replace the letters with the known most frequent letters.
5. After that by guessing we can find the remaining substitutions.
Exception: It is difficult to crack a small word as the frequency is not reliable.
MFCS
2015
Assignment 1
Solution:
Z3
Z2
Z1
R0
0
1
1
0
2
1
3
1
4
1
5
1
6
0
7
0
8
0
9
1
10
0
11
0
12
1
13
1
14
0
15
1
16
0
17
1
18
1
MFCS
2015
Assignment 1
Solution:
Z3
Z2
Z1
Z0
0
1
1
0
2
1
3
1
4
1
5
1
6
0
7
1
8
1
MFCS
2015
Assignment 1
4. In class we explained that the one time pad is malleable. Lets see a concrete example. Suppose you are
told that the one time pad encryption of the message attack at dawn is 09e1c5f70a65ac51626bc3d25f17
(the plaintext letters are encoded as 8-bit ASCII and the given ciphertext is written in hex). What would
be the one time pad encryption of the message attack at dusk under the same OTP key?
Solution:
M1 = attack at dawn
C1 = 09e1c5f70a65ac51626bc3d25f17
L
K = M1
C1
K = 6895b196690e8c30164ba7b32879
L
(Ex.: hex(asci(a))
09 = 68)
M2 =attack at dusk
L
C2 = M2
K
C2 = 09e1c5f70a65ac51626bc3c65b12
MFCS
2015
Assignment 1
5. MS-PPTP is a protocol for a client wishing to communicate securly with a server. They both shared
secret key k. Here client sends a message m1 and server responds with s1. Again client sends a message
m2 and server responds with s2. Similarly client sends a message m3 and server responds with s3 etc. It
is example of Two Time pad. Explain. Also briefly explain how to compute m1;m2;m3 and s1; s2; s3.
Solution: PPTP (Point to Point Tunnelling Protocol) is one of communication protocols, which
allow to create virtual private networks (VPN) using tunnelling.
One of its weaknesses of MS-PPTP is that client and have the same secret key (usually created from
the user password) which is used in the same way by the two sides for sending messages (without
any synchronisation of its usage).
The client joins its messages and then encodes them using the shared secret key. The same operation
are performed by the server. It also joins its messages, encodes using the shared secret key and sends
them to the client. The problem is that the attacker may eavesdrop messages from the client and from
the server which are encoded using the same bytes of secret key and receive all the original messages.
Consider the diagram below:
Client-Server Communication in MS-PPTP
a
x
Client
b
y
c
z
Server
MFCS
2015
Assignment 1
and, we have C2 = S K 2
Hence, from 1 2 , we get:
C1 C2 = M S
Hence, MS-PPTP becomes like a two-time pad.
So now we have the message from server and client and we can get the message by trying many
frequently used words or letters and can find each seperatly.
MFCS
2015
Assignment 1
6. Let the message space M be 0,1 with Pr [M = 0] = 1/3 and Pr [M = 1] = 2/3. Let the keyspace K = 0,1
and a key be chosen uniformly at random. Let the encryption algorithm be defined as
c = Enc(k,m) = k m. Compute the following:
1. Pr [C = 0]
2. Pr [C = 0,M = 1]
3. Pr [C = 0|M = 1]
4. Pr [k = 0|M = 1]
5. Pr [k = 0|M = 1]
Solution:
1. Pr [C=0] = Pr [(K=0 M=0) (K=1 M=1)]
=Pr [K=0] * Pr [M=0] +Pr [K=1]* Pr [M=1] C and M are independent
=(1/2)*(1/3)+(1/2)*(2/3)
=1/2
2. Pr [(C=0 ,M=1)] = Pr [(C=0 M=1)]
=Pr [C=0] * Pr [M=1] - independent
=(1/2)*(2/3)
=1/3
3. Pr [(C=0 | M=1)] = Pr [(C=0 M=1)] / Pr [M=1]
=Pr [C=0]* Pr [M=1] / Pr [M=1] - independent
=1/2
4. Pr [(K=0|M=1)] = Pr [(K=0M=1)] / Pr [M=1]
=Pr [K=0] * Pr [M=1] / Pr [M=1] - independent
=1/2
5. Pr [(K=0|M=1)] = Pr [(K=0M=1)] / Pr [M=1]
=Pr [K=0] * Pr [M=1] / Pr [M=1] - independent
=1/2
MFCS
2015
Assignment 1
7. Let M = C = K = 0,1,2....,255 and consider the following cipher defined over (K,M,C): E(k,m) = m +
k(mod 256),D(k, c) = c - k(mod 256). Does this cipher have perfect secrecy?
Solution:
Prove Perfectly Secrecy of P[M=m|C=c] = P[M=m]
LHS = P[M=m | C=c] = P[C - k (mod 256) = m | C=c]
=P[c k(mod 256) = m]
=P[k = c m(mod 256)] = 1/256
=P[M=m] = RHS
For a given m, (c-m) mod 256 = 1, for m = 0 - 255. Hence Proved.
MFCS
2015
Assignment 1
c.
P[Enc(k,
Lm) = c]
= P[(k L
m) = c]
= P[k = c
m] = P[k = k ]
= 1/2n
Since the equation holds for every m M, it follows that for every m1, m2 M we have P[Enc(k,
m1) = c] = 1/2n as well as P[Enc(k, m2) = c] = 1/2n , which implies that P[Enc(k, m1) = c] = P[Enc(k,
m2) = c] which establishes perfect security of OTP.
MFCS
2015
Assignment 1
9. Let (E,D) be a (one-time) semantically secure cipher where the message and ciphertext space is (0, 1).
Which of the following encryption schemes are (one-time) semantically secure? Prove or disprove that
schemes are semantically secure?
(i) E 1 (k, m) = 0||E(k,m) (i.e. prepend 0 to the ciphertext)
(ii) E 1 (k, m) = E(k,m)||k
(iii) E 1 (k, m) = reverse(E(k,m))
(iv) E 1 (k, m) = E(k,m)||LSB(m)
(v) E 1 ((k, k), m) = E(k,m)||E(k,m)
Solution:
(i)
Diagram:
Adversary A1 is trying to crack the scheme E 1 (k, m) while adversary A is trying to crack E(k,m)
ORACLE
2 m0 , m1
1 m0 , m1
3 c = E(k, mb )
4 c1 = 0 || c
b (0, 1)
A1
6 b1
5 b1 , b1 (0,1)
Steps:
1. The adversary A1 picks two random messages m0 and m1 and sends them to adversary A.
2. The adversary A forwards the messages m0 and m1 to the Oracle.
3. ORACLE, picks a random message mb where b (0,1) and sends c = E(k,mb ) to adversary A.
4. The adversary A appends a 0 to c and sends it to adversary A1 as c1 .
5. On receiving c1 , adversary A1 tries to guess if m0 or m1 was encrypted. He outputs a random
bit b1 , where b1 (0,1), which corresponds to his guess. He sends his guess to the adversary
A.
6. Adversary A1 sends the bit b1 to ORACLE.
A1 can break the scheme E 1 (k, m) in time,
t1 = t + cost of encryption or decryption
MFCS
2015
Assignment 1
Since scheme E(k,m) cannot be broken in polynomial time, we conclude that E 1 (k, m) cannot be
broken in polynomial time. Hence the scheme E 1 (k, m) is semantically secured.
(ii)
Diagram:
Adversary A1 is trying to crack the scheme E 1 (k, m) while adversary A is trying to crack E(k,m)
2 m0 , m1
1 m0 , m1
3 c = E(k, mb )
ORACLE
b (0, 1)
A1
4 b1
Steps:
Thus the encryption scheme leaks information about the key and hence the scheme is not semantically secure.
(iii)
Diagram:
Adversary A1 is trying to crack the scheme E 1 (k, m) while adversary A is trying to crack E(k,m)
MFCS
2015
Assignment 1
ORACLE
2 m0 , m1
1 m0 , m1
3 c = E(k, mb )
4 c1 = rev(c)
b (0, 1)
A1
6 b1
5 b1 , b1 (0,1)
Steps:
1. The adversary A1 picks two random messages m0 and m1 and sends them to adversary A.
2. The adversary A forwards the messages m0 and m1 to ORACLE.
3. ORACLE, picks a random message mb where b (0,1) and sends c = E(k,mb ) to adversary A.
4. The adversary A reverses c and sends it to adversary A1 as c1 .
5. On receiving c1 , adversary A1 tries to guess if m0 or m1 was encrypted. He outputs a random
bit b1 , where b1 (0,1), which corresponds to his guess. He sends his guess to the adversary
A.
6. Adversary A1 sends the bit b1 to the Oracle.
A1 can break the scheme E 1 (k, m) in time,
t1 = t + cost of encryption or decryption
Since scheme E(k,m) cannot be broken in polynomial time, we conclude that E 1 (k, m) cannot be
broken in polynomial time. Hence the scheme E 1 (k, m) is semantically secure.
(iv)
Diagram:
Adversary A1 is trying to crack the scheme E 1 (k, m) while adversary A is trying to crack E(k,m)
2 m0 , m1
1 m0 , m1
3 c = E(k, mb )
ORACLE
b (0, 1)
4 b1
A1
MFCS
2015
Assignment 1
Steps:
1. Adversary A choose two messages m1 and m2 such that
m1 =m || 0
m2 =m || 1
2. The adversary A forwards the messages m0 and m1 to the Oracle.
3. ORACLE, picks a random message mb where b (0,1) and sends c = E(k,mb ) to adversary A.
4. On receiving c, adversary A can guess if m1 or m2 was encrypted by examining the last bit of
the ciphertext c. He outputs the bit b1 , where b1 (0,1), which corresponds to his guess.
Thus the encryption scheme leaks information about the message and hence the scheme is not
semantically secure.
(v)
Diagram:
Adversary A1 is trying to crack the scheme E 1 (k, m) while adversary A is trying to crack E(k,m)
ORACLE
2 m0 , m1
1 m0 , m1
3 c = E(k, mb )
b (0, 1)
6 b1
A1
5 b1 , b1 (0,1)
Steps:
1. The adversary A1 picks two random messages m0 and m1 and sends them to adversary A.
2. The adversary A forwards the messages m0 and m1 to the Oracle.
3. ORACLE picks a random message mb where b (0,1) and sends c = E(k,mb )to adversary A.
4. The adversary A concatenates E(k,mb ) with itself and sends it to adversary A1 as c1 =
E(k,mb )|| E(k,mb ).
5. On receiving c1 , adversary A1 tries to guess if m0 or m1 was encrypted. He outputs a random
bit b1 , where b1 (0,1), which corresponds to his guess. He sends his guess to the adversary
A.
6. Adversary A1 sends the bit b1 to the Oracle.
MFCS
2015
Assignment 1