CS-NC-616: Foundations of Cryptography

Problem Set I, Session 2016-17

1. Show how to break shift, substitution and Vigenere ciphers via known plain-text attack and chosen-plaintext
attack. For each case, specify the number of (message, ciphertext) pairs required to completely recover the secret
key.

2. Consider the shift cipher, where we have the following distribution over the message space M:

Pr[M = a] = 0.6 and Pr[M = z] = 0.4.

Here M is the random variable denoting the plaintext. What is the probability that the ciphertext is B? What is
the probability that message a was encrypted, given that we observe the ciphertext B?

3. Prove or disprove whether the following encryption schemes are perfectly-secure.

(a) M = {0, . . . , 4}. The key-generation algorithm Gen chooses a key randomly from the set {0, . . . , 5}.
Enck (m) := (k + m) mod 5 and Deck (c) := (c k) mod 5.
(b) M = {m {0, 1}` | the last bit of m is 0}. The key-generation algorithm Gen chooses a key randomly
from the set {0, 1}`1 . Enck (m) := (k||0) m and Deck (c) := c (k||0).

4. Let denote an instance of Vigenere cipher, where message space is the set of all possible two-character English
letter strings and where the period is chosen randomly from the set {1, 2}. Design an attacker A, who wins the
perfectly-secure indistinguishability game with probability better than 12 .

5. Prove or refute: For every encryption scheme that is perfectly secret it holds that for every distribution over the
message space M, every m0 , m1 M, and every c C, the following holds:

Pr[M = m0 |C = c] = Pr[M = m1 |C = c].

6. What restrictions can be imposed on the shift, mono-alphabetic substitution and Vigenere cihers, so that the
modified schemes become perfectly secure.

7. In the correctness requirement of any cipher, no error is allowed in the decryption process; namely we require that
Deck (Enck (m)) = m holds always. Suppose we relax this requirement and now require that Deck (Enck (m)) =
m should hold with probability at least 2t . Under this relaxed notion of correctness, is it possible to design a
perfectly-secure encryption scheme where |K| < |M|?