Universitat Pompeu Fabra, 2023

Cryptography and Security

Problem Set 1

Exercise 1
Suppose that a certain efficient attack against an encryption scheme outputs a list of 𝜆5
possibilities for the secret key 𝑘. Suppose an attacker is also given a plaintext/ciphertext pair,
how can he find the right key? Find an upper bound of the security level of this encryption
scheme. Is it a good idea to use this encryption scheme?

Exercise 2
Let 𝑛 be a positive integer. A Latin square of order 𝑛 is an 𝑛 × 𝑛 matrix 𝐿 = (𝓁𝑖,𝑗 )1≤𝑖,𝑗≤𝑛 with
entries 𝓁𝑖,𝑗 ∈ {1, … , 𝑛}, such that each element of the set {1, … , 𝑛} appears exactly once in each
row and each column of 𝐿. All possible messages are in the set X = {1, … , 𝑛} and all possible
keys in K = {1, … , 𝑛}. A Latin square defines a cipher of a plaintext 𝑥 ∈ X under a key 𝑘 ∈ K as
𝑦 = 𝐶𝑘 (𝑥) = 𝓁𝑘,𝑥 .
1. Find a Latin square 𝐿 of order 4. Using this matrix, encrypt the plaintext 𝑥 = 3 with the
key 𝑘 = 2.
2. Prove that a Latin square defines a cipher which achieves perfect secrecy if the key is
uniformly distributed, independent of the plaintext, and used only once.

Exercise 3
Suppose Alice and Bob utilize the following encryption table to encrypt their messages:

𝑚1 𝑚2
𝑘1 1 2
𝑘2 2 3
𝑘3 3 4
𝑘4 4 1

1
where 𝑚𝑖 ’s and 𝑘𝑖 ’s represent the messages and the keys respectively. Furthermore, the keys and
the messages are selected with the following probability 𝑃 (𝑚1 ) = 1/4, 𝑃 (𝑚2 ) = 3/4, 𝑃 (𝑘1 ) =
1/2 and 𝑃 (𝑘2 ) = 𝑃 (𝑘3 ) = 1/6.
1. Show the cryptosystem does not provide perfect secrecy.
2. Modify plaintext and/or key distribution so that perfect secrecy is obtained. Explain
why.

Exercise 4
Let 𝐹 , 𝐹 −1 be the encryption and decryption algorithms of a block cipher. We use the notation
𝐹𝑘 (𝑚) = 𝐹 (𝑘, 𝑚) and 𝐹𝑘−1 (𝑚) = 𝐹 −1 (𝑘, 𝑚). Alice proposes a new mode that encrypts a sequence
of message blocks 𝑚1 , 𝑚2 , … , by the sequence of ciphertext blocks 𝑐1 , 𝑐2 , … using the following
method:
𝑐𝑖 = 𝑚𝑖−1 ⊕ 𝐹𝑘 (𝑚𝑖 ⊕ 𝑐𝑖−1 ) , 𝑖 ≥ 1
𝑚0 and 𝑐0 are fixed (and public) initialization vectors. Describe how decryption is performed.

Exercise 5
Triple DES is a modification of the data encryption standard DES that is still secure by today’s
standards. It encrypts blocks of 64 bits. We would like a cipher of block length 128 bits, so for
a message 𝑚 of 128 bits consisting of two blocks 𝑚1 , 𝑚2 of 64 bits each, we define a new block
cipher 𝐹 (𝑘, 𝑚) = (3𝐷𝐸𝑆𝑘 (𝑚1 ), 3𝐷𝐸𝑆𝑘 (𝑚2 )).
• Comment on the diffusion/confusion properties of this cipher. Would you use it?
• Does any of the attacks discussed in class apply when using this cipher in CBC mode?
• Discuss security when using in Counter Mode.

Extra Exercises

Exercise 6
Bob modifies the one-time pad as follows. To encrypt an 𝓁-bits length message 𝑚, he selects
uniformly at random a key 𝑘̄ from {0, 1}𝓁/2 and computes the key 𝑘 as follows: 𝑘 = 𝑘‖ ̄ where ‖
̄ 𝑘,
denotes concatenation. Explain if this scheme has perfect secrecy. Justify your answer.

Exercise 7
Oscar has intercepted two ciphertexts:
𝑐1 = 1111100101111001110011000001011110000110
𝑐2 = 1111101001100111110111010000100110001000
He knows that both are OTP ciphertexts, encrypted with the same key. Not only that, he also
knows that either the plaintext of 𝑐1 is alpha and the plaintext of 𝑐2 is bravo or the plaintext of
𝑐1 is delta and the plaintext of 𝑐2 gamma (all converted to binary from ASCII in the standard
way).
Which of these two possibilities is correct, and why? What was the key 𝑘?