Assignment 1-Vignesh Prasad V

MFCS
2015
Assignment 1
Instructor: Kunwar Singh

Student: Vignesh Prasad V(106112101),
Gudla Sunil Kumar(106112032)
1. Briefly explain that monoalphabetic substitution cipher is vulnerable under frequency analysis.
Solution:
Monoalphabetic substitution cipher: A monoalphabetic cipher uses fixed substitution over the
entire message, whereas a polyalphabetic cipher uses a number of substitutions at different positions
in the message, where a unit from the plaintext is mapped to one of several possibilities in the cipher
text and vice versa.
Frequency analysis: frequency analysis is the study of the frequency of letters or groups of letters
in a cipher text.
When we process the cipher text by frequency analysis, we could easily decipher it as the frequency
of English alphabets is already known. The frequency of letters is as follows:
E 12.7, T 9.1, A 8.2, O 7.5, . . .
Method:
1. From the given cipher text find the frequency of each letter.
2. Find the frequency of 3 letter, 2 letter words.
3. First replace them by guessing, by this time we would have got some letters.
4. Replace the letters with the known most frequent letters.
5. After that by guessing we can find the remaining substitutions.
Exception: It is difficult to crack a small word as the frequency is not reliable.
MFCS
2015
Assignment 1

2. Consider the linear recurrence of degree 4:

zi+4 = (zi + zi+1 ) mod 2.
Construct a diagram for the corresponding linear feedback shift register (LFSR)
Construct a table to produce the key stream generated using this LFSR with the key K = (1, 0, 1, 1).
What is its period?
Write down the characteristic polynomial of this linear recurrence. Is it a primitive polynomial?
Explain your answer.
Solution:
Z3
Z2
Z1
R0
Output for the Key K = (1, 0, 1, 1)

I
Z
0
1
1
0
2
1
3
1
4
1
5
1
6
0
7
0
8
0
9
1
10
0
11
0
12
1
13
1
14
0
15
1
After I = 14 we can see that it is repeating 1,0,1,1 so the period is 15 = 24 - 1.

Characteristic polynomial: x4 + x + 1 - maximum period of 24 - 1.
This polynomial is a primitive polynomial as it does not have real root.
16
0
17
1
18
1
MFCS
2015

Assignment 1
3. Consider the linear recurrence of degree 4:

zi+4 = (zi + zi+1 + zi+2 + zi+3 ) mod 2.
Construct a diagram for the corresponding linear feedback shift register (LFSR)
Construct a table to produce the key stream generated using this LFSR with the key K = (1, 0, 1, 1).
What is its period?
Write down the characteristic polynomial of this linear recurrence. Is it a primitive polynomial?
Explain your answer.
Solution:
Z3
Z2
Z1
Z0
Output for the Key K = (1, 0, 1, 1)

I
Z
0
1
1
0
2
1
3
1
4
1
5
1
6
0
7
1
8
1
After I = 4, we can see that it is repeating 1,0,1,1 so the period is 5.

Characteristic polynomial: x4 + x3 + x2 + x + 1
This polynomial is a primitive polynomial as it does not have real root.
MFCS
2015
Assignment 1

4. In class we explained that the one time pad is malleable. Lets see a concrete example. Suppose you are
told that the one time pad encryption of the message attack at dawn is 09e1c5f70a65ac51626bc3d25f17
(the plaintext letters are encoded as 8-bit ASCII and the given ciphertext is written in hex). What would
be the one time pad encryption of the message attack at dusk under the same OTP key?
Solution:
M1 = attack at dawn
C1 = 09e1c5f70a65ac51626bc3d25f17
L
K = M1
C1
K = 6895b196690e8c30164ba7b32879
L
(Ex.: hex(asci(a))
09 = 68)
M2 =attack at dusk
L
C2 = M2
K
C2 = 09e1c5f70a65ac51626bc3c65b12
MFCS
2015
Assignment 1

5. MS-PPTP is a protocol for a client wishing to communicate securly with a server. They both shared
secret key k. Here client sends a message m1 and server responds with s1. Again client sends a message
m2 and server responds with s2. Similarly client sends a message m3 and server responds with s3 etc. It
is example of Two Time pad. Explain. Also briefly explain how to compute m1;m2;m3 and s1; s2; s3.
Solution: PPTP (Point to Point Tunnelling Protocol) is one of communication protocols, which
allow to create virtual private networks (VPN) using tunnelling.
One of its weaknesses of MS-PPTP is that client and have the same secret key (usually created from
the user password) which is used in the same way by the two sides for sending messages (without
any synchronisation of its usage).
The client joins its messages and then encodes them using the shared secret key. The same operation
are performed by the server. It also joins its messages, encodes using the shared secret key and sends
them to the client. The problem is that the attacker may eavesdrop messages from the client and from
the server which are encoded using the same bytes of secret key and receive all the original messages.
Consider the diagram below:
Client-Server Communication in MS-PPTP
a
x
Client
b
y
c
z
Weakness: Same key is used by both client and server.

M = a||b||c
S = x||y||z
Key = K
Ek (M ) = C1 = M K
Ek (S) = C2 = S K
Now, we have C1 = M K 1
Server
MFCS
2015
Assignment 1

and, we have C2 = S K 2
Hence, from 1 2 , we get:
C1 C2 = M S
Hence, MS-PPTP becomes like a two-time pad.
So now we have the message from server and client and we can get the message by trying many
frequently used words or letters and can find each seperatly.
MFCS
2015
Assignment 1

6. Let the message space M be 0,1 with Pr [M = 0] = 1/3 and Pr [M = 1] = 2/3. Let the keyspace K = 0,1
and a key be chosen uniformly at random. Let the encryption algorithm be defined as
c = Enc(k,m) = k m. Compute the following:
1. Pr [C = 0]
2. Pr [C = 0,M = 1]
3. Pr [C = 0|M = 1]
4. Pr [k = 0|M = 1]
5. Pr [k = 0|M = 1]
Solution:
1. Pr [C=0] = Pr [(K=0 M=0) (K=1 M=1)]
=Pr [K=0] * Pr [M=0] +Pr [K=1]* Pr [M=1] C and M are independent
=(1/2)*(1/3)+(1/2)*(2/3)
=1/2
2. Pr [(C=0 ,M=1)] = Pr [(C=0 M=1)]
=Pr [C=0] * Pr [M=1] - independent
=(1/2)*(2/3)
=1/3
3. Pr [(C=0 | M=1)] = Pr [(C=0 M=1)] / Pr [M=1]
=Pr [C=0]* Pr [M=1] / Pr [M=1] - independent
=1/2
4. Pr [(K=0|M=1)] = Pr [(K=0M=1)] / Pr [M=1]
=Pr [K=0] * Pr [M=1] / Pr [M=1] - independent
=1/2
5. Pr [(K=0|M=1)] = Pr [(K=0M=1)] / Pr [M=1]
=Pr [K=0] * Pr [M=1] / Pr [M=1] - independent
=1/2
MFCS
2015
Assignment 1

7. Let M = C = K = 0,1,2....,255 and consider the following cipher defined over (K,M,C): E(k,m) = m +
k(mod 256),D(k, c) = c - k(mod 256). Does this cipher have perfect secrecy?
Solution:
Prove Perfectly Secrecy of P[M=m|C=c] = P[M=m]
LHS = P[M=m | C=c] = P[C - k (mod 256) = m | C=c]
=P[c k(mod 256) = m]
=P[k = c m(mod 256)] = 1/256
=P[M=m] = RHS
For a given m, (c-m) mod 256 = 1, for m = 0 - 255. Hence Proved.
MFCS
2015
Assignment 1

8. Prove that OTP is perfectly secure.
Solution: Proof: Take any m M and c C, and let k = m
c.
P[Enc(k,
Lm) = c]
= P[(k L
m) = c]
= P[k = c
m] = P[k = k ]
= 1/2n
Since the equation holds for every m M, it follows that for every m1, m2 M we have P[Enc(k,
m1) = c] = 1/2n as well as P[Enc(k, m2) = c] = 1/2n , which implies that P[Enc(k, m1) = c] = P[Enc(k,
m2) = c] which establishes perfect security of OTP.
MFCS
2015
Assignment 1

9. Let (E,D) be a (one-time) semantically secure cipher where the message and ciphertext space is (0, 1).
Which of the following encryption schemes are (one-time) semantically secure? Prove or disprove that
schemes are semantically secure?
(i) E 1 (k, m) = 0||E(k,m) (i.e. prepend 0 to the ciphertext)
(ii) E 1 (k, m) = E(k,m)||k
(iii) E 1 (k, m) = reverse(E(k,m))
(iv) E 1 (k, m) = E(k,m)||LSB(m)
(v) E 1 ((k, k), m) = E(k,m)||E(k,m)
Solution:
(i)
Diagram:
Adversary A1 is trying to crack the scheme E 1 (k, m) while adversary A is trying to crack E(k,m)
ORACLE
2 m0 , m1
1 m0 , m1
3 c = E(k, mb )
4 c1 = 0 || c
b (0, 1)
A1
6 b1
5 b1 , b1 (0,1)
Steps:
1. The adversary A1 picks two random messages m0 and m1 and sends them to adversary A.
2. The adversary A forwards the messages m0 and m1 to the Oracle.
3. ORACLE, picks a random message mb where b (0,1) and sends c = E(k,mb ) to adversary A.
4. The adversary A appends a 0 to c and sends it to adversary A1 as c1 .
5. On receiving c1 , adversary A1 tries to guess if m0 or m1 was encrypted. He outputs a random
bit b1 , where b1 (0,1), which corresponds to his guess. He sends his guess to the adversary
A.
6. Adversary A1 sends the bit b1 to ORACLE.
A1 can break the scheme E 1 (k, m) in time,
t1 = t + cost of encryption or decryption
MFCS
2015
Assignment 1

Since scheme E(k,m) cannot be broken in polynomial time, we conclude that E 1 (k, m) cannot be
broken in polynomial time. Hence the scheme E 1 (k, m) is semantically secured.
(ii)
Diagram:
2 m0 , m1
1 m0 , m1
3 c = E(k, mb )
ORACLE
b (0, 1)
A1
4 b1
Steps:
1. Adversary A choose two messages m1 and m2 such that

m1 =m || k, m2 =m || k
4. On receiving c, adversary A can guess if m1 or m2 was encrypted by checking with the key
which A has guessed by decrypting c with k. He outputs the bit b1 , where b1 (0,1), which
corresponds to his guess.
Thus the encryption scheme leaks information about the key and hence the scheme is not semantically secure.
(iii)
Diagram:
MFCS
2015
Assignment 1
ORACLE

2 m0 , m1
1 m0 , m1
3 c = E(k, mb )
4 c1 = rev(c)
b (0, 1)
A1
6 b1
5 b1 , b1 (0,1)
Steps:
2. The adversary A forwards the messages m0 and m1 to ORACLE.
4. The adversary A reverses c and sends it to adversary A1 as c1 .
A.
6. Adversary A1 sends the bit b1 to the Oracle.
broken in polynomial time. Hence the scheme E 1 (k, m) is semantically secure.
(iv)
Diagram:
2 m0 , m1
1 m0 , m1
3 c = E(k, mb )
ORACLE
b (0, 1)
4 b1
A1
MFCS
2015
Assignment 1

Steps:
1. Adversary A choose two messages m1 and m2 such that
m1 =m || 0
m2 =m || 1
4. On receiving c, adversary A can guess if m1 or m2 was encrypted by examining the last bit of
the ciphertext c. He outputs the bit b1 , where b1 (0,1), which corresponds to his guess.
Thus the encryption scheme leaks information about the message and hence the scheme is not
semantically secure.
(v)
Diagram:
ORACLE
2 m0 , m1
1 m0 , m1
3 c = E(k, mb )
4 c1 = E(k,mb )|| E(k,mb )
b (0, 1)
6 b1
A1
5 b1 , b1 (0,1)
Steps:
3. ORACLE picks a random message mb where b (0,1) and sends c = E(k,mb )to adversary A.
4. The adversary A concatenates E(k,mb ) with itself and sends it to adversary A1 as c1 =
E(k,mb )|| E(k,mb ).
A.
6. Adversary A1 sends the bit b1 to the Oracle.
MFCS
2015
Assignment 1


broken in polynomial time. Hence the scheme E 1 (k, m) is semantically secured

Assignment 1-Vignesh Prasad V

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Assignment 1-Vignesh Prasad V

Încărcat de

Drepturi de autor:

Formate disponibile

MFCS

Instructor: Kunwar Singh

Instructor: Kunwar Singh

2. Consider the linear recurrence of degree 4:

Output for the Key K = (1, 0, 1, 1)

After I = 14 we can see that it is repeating 1,0,1,1 so the period is 15 = 24 - 1.

Instructor: Kunwar Singh

3. Consider the linear recurrence of degree 4:

Output for the Key K = (1, 0, 1, 1)

After I = 4, we can see that it is repeating 1,0,1,1 so the period is 5.

Instructor: Kunwar Singh

Instructor: Kunwar Singh

Weakness: Same key is used by both client and server.

Instructor: Kunwar Singh

Instructor: Kunwar Singh

Instructor: Kunwar Singh

Instructor: Kunwar Singh

8. Prove that OTP is perfectly secure.

Solution: Proof: Take any m M and c C, and let k = m

Instructor: Kunwar Singh

Instructor: Kunwar Singh

1. Adversary A choose two messages m1 and m2 such that

Instructor: Kunwar Singh

Instructor: Kunwar Singh

4 c1 = E(k,mb )|| E(k,mb )

Instructor: Kunwar Singh

A1 can break the scheme E 1 (k, m) in time,

S-ar putea să vă placă și