Exercise 1 - Shannon theory and toy examples

Example 1.0 (Previous exam) You have found an old ciphertext, where you know that the
plaintext discusses cryptographic methods. You suspect that a Vigenere cipher has been
used and therefore look for repeated strings in the ciphertext.

You find that the string TICRMQUIRTJR occurs twice in the ciphertext. The first oc-
currence starts at character position 10 in the text and the second at character position 241
(we start counting from 1).

You make the inspired guess that this ciphertext sequence is the encryption of the plaintext
word cryptography. If this guess is correct, what is the key ?
Hint : Analyze the possible periods.

Solution To estimate the period we use the Kasiski test. The distance between the two
occurrences given is
241 − 10 = 231 = 3 · 7 · 11
positions.
Possible periods are thus 3, 7 and 11. If the guess is correct, we can immediately find the
corresponding shifts: at position 10 the shift is

T − c = 19 − 2 = 17 = r

. Similar computations for the other positions gives the shift keys

rrectcorrect

We now see that this is not periodic with periods 3 or 11, while period 7 is possible. The
keyword of length 7 starts at position 15; hence the keyword is

correct.

Example 1.1 (Previous exam) Alice wants to encrypt some sequence of independent
decimal digits and send to Bob. Let EK denote the encryption function operating on decimal
digits. A sequence of decimal digits M1 , M2 , . . . , Mn ∈ Z10 is encrypted to a sequence of
ciphertext symbols C1 , C2 , . . . , Cn , Ci ∈ Z10 by

Ci = EK (Mi ), ∀i, 1 ≤ i ≤ n.

1
a) Determine which of the following mappings that are possible encryption functions:

EK (M ) = M,
EK (M ) = K,
EK (M ) = M + K,
EK (M ) = M · K,
EK (M ) = M K+1 ,

if M, K ∈ Z10 and all operations above are performed (mod 10).

Solution: a) An encryption function must be bijective (invertible) for all fixed keys
K. Clearly, EK (M ) = M and EK (M ) = M + K are bijective. The others are not bijective
for all K.

b) Determine the unicity distance if the cipher is a simple substitution cipher and

P (M = 0) = P (M = 1) = 4 · P (M = 2),

together with

P (M = 2) = P (M = 3) = · · · =
P (M = 8) = P (M = 9).

Hint: Use the formula for unicity distance and approximate HL as H(M ), that is HL = HM .

Solution: b) Unicity distance (pg. 63 Stinson and lecture notes) is defined as

log2 |K| log2 |K|

n0 = =
RL log2 |P| log2 |P| − HL

HL
RL = 1 −
log2 |P|

From the conditions we also get:

P (M = 0) = P (M = 1) = 4 · P (M = i), i ∈ [2, 9]
X9
P (Mi ) = 1.
i=0
1 1
⇒ P (M = 0) = ; P (M = 2) = .
4 16

2
 log2 |K| = H(K) = log2 (10!)
log2 |P| = H(P ) = log2 (10)
1 1 1 1
HL = H(M ) = −2 log2 − 8 log2 =3
4 4 16 16

So
log2 (10!)
n0 = = 67.8 ≈ 68
log2 (10) − 3

Example 1.2 a) Let p be prime. How many 2 × 2 invertible matrices are there over
Zp ?

Hint: A matrix over a field is invertible iff its rows are linearly independent vectors.

Solution First row can be selected in (p2 − 1) ways (not the all zero). The second row in
(p2 − p) ways (no linear combination of the first row).

In total there are

(p2 − 1)(p2 − p).
b) Generalize the above to find out the number of m × m invertible matrices over Zp .

Solution First row pm − 1 ways, second pm − p, third pm − p2 etc. Number of invert-

ible matrices is
|GL(Fp )| = (pm − 1)(pm − p) · · · (pm − pm−1 ).

c) Is the following matrix invertible over Z3 = {0, 1, 2}

 
2 1 1
A= 2 2 1 
0 1 0

Solution Obviously not - the sum of the first row and the 2× second row and the third
row gives,
(2 + 2 · 2 + 0 = 0, 1 + 2 · 2 + 1 = 0, 1 + 2 · 1 = 0) (mod 3).
Ex. 1.3 Suppose a cryptosystem achieves perfect secrecy for a particular plaintext
distribution p0 . Prove that perfect secrecy is achieved for any probability distribution of

3
plaintext.

Hint: Use the definition of perfect secrecy and Bayes theorem.

Solution Perfect secrecy is by definition

P (x|y) = P (x), ∀x ∈ P ∀y ∈ C.

Bayes Theorem
P (x)P (y | x)
P (x | y) =
P (y)
gives that this is equivalent to

P (y|x) = P (y), ∀x ∈ P ∀y ∈ C.

The latter expression is independentof P (x). This implies that if a system with perfect
secrecy changes the distribution on P (x) then the above equation will not be affected and
we still have perfect secrecy.

Ex. 1.4 Show that a unicity distance of the Hill Cipher (with an m × m matrix) is
less than m/RL . Recall that the unicity distance is

log2 |K|
n0 =
RL log2 |P|

Hint: Use as the upper bound for the number of keys the total number of m × m matrices.

Solution The number of keys is strictly less than the number of m × m matrices over
Z26 i.e.
2
|K| < 26m total number of matrices
log2 |K| < m2 log2 26

Now
|P | = 26m
so the unicity distance is
log2 |K|
n0 = < m/RL
RL log2 |P |

Ex. 1.5 Prove that the Shift cipher is idempotent.

4
Solution In the Shift cipher called S

eK (x) = x + K (mod 26).

Now S 2 is the cipher defined by,

e(K1,K2) (x) = eK2 (eK1 ) =

x + K1 + K2 = eK1+K2 (mod 26).

With the same key distribution we conclude that S 2 = S.

Remember to check the key distribution !

Ex. 1.6 Suppose S1 and S2 are Vigenere ciphers with keyword lengths m1 , m2 respec-
tively, where m1 > m2 .
Hint: Represent the encryption function in a convenient way.

a) If m2 |m1 show that S2 × S1 = S1 .

Solution a) In the Vigenere cipher called S

eK (x1 , . . . , xm ) = (x1 + k1 , . . . , xm + km ) (mod 26).

Now S1 and S2 are Vigenere with key length m1 and m2 resp.

When m2 |m1 then

e(K1 ,K2) (x1 , ..., xm ) = (x1 + k11 + k12 , . . . , xm2 + km

1
2
2
+ km 2
+
1 2 1 2
+xm2 +1 + km 2 +1
+ km 2 +1
+ . . . + xm1 + km 1
+ km 1
) (mod 26),
| {z }
=k12

1
From now on everything is repeated km 2
= k11 and km = k12 .
1 +1 2 +1

There is a uniform distribution on the keys so we are done.

b) One might try to generalize this result claiming that,

S2 × S1 = S3 ,

where S3 is the Vigenere cipher with keyword length lcm(m1 , m2 ).

Prove that the conjecture is false.

5
Hint: Compare the number of the keys.

b) Number of keys in S2 × S1 is

26m1 × 26m2 = 26m1 +m2 .

In S3 the number of keys is

26lcm(m1 ,m2 )

But m1 + m2 6= lcm(m1 , m2 ) in general.

Ex. 1.7 Consider the following cryptosystem (Previous exam):

K = {A, B} Pr(A) = 2/3 Pr(B) = 1/3

P = {0, 1} Pr(0) = 3/5 Pr(1) = 2/5
C = {a, b}
The encryption rules are given by:

0 1
A a b
B b a

a) Compute Pr(a) and Pr(0|a). Is the cryptosystem perfectly secure ?

8
Solution a) Pr(a) = Pr(0) · Pr(A) + Pr(1) · Pr(B) = 15 . Use the Bayes’ theorem to
compute,
3 2
Pr(0) · Pr(a|0) · 3
Pr(0|a) = = 583 = .
Pr(a) 15
4

No, cryptosystem is not perfectly secure

Pr(0|a) 6= Pr(a)

b) What would be Pr(A) to make this system a perfect cryptosystem ?

Hint : Use the definition of perfect secrecy.

Solution b) By definition a perfect cryptosystem satisfies Pr(x|y) = Pr(x) for all x ∈

P, y ∈ C. Then, we must have
Pr(0|a) = Pr(0)

6
This is equivalent (see above) that Pr(a) = Pr(a|0) = Pr(A) which implies,
Pr(0) · Pr(A) + Pr(1) · Pr(B) = Pr(A)
Pr(0) · Pr(A) + Pr(1) · (1 − Pr(A)) = Pr(A)
Pr(1)
⇒ Pr(A) = =
1 − Pr(0) + Pr(1)
2/5 1
=
1 − 3/5 + 2/5 2
c) What about the secrecy now ?

P r(0)P r(a|0) 3/5 · 1/2 3

P r(0|a) = = = .
P r(a) 1/2 · 3/5 + 1/2 · 2/5 5
Thus P r(0|a) = P r(0), i.e. perfect secrecy. Same for b.

Ex. 1.8 We wish to encrypt a memoryless source with alphabet M = 0, 1, 2 and

P (M = 0) = 1/2, P (M = 1) = 1/4,
P (M = 2) = 1/4.

Let the key K = (K1 , . . . , Kl ), Ki ∈ {0, 1, 2}, be chosen uniformly from the set of l-tuples.
A sequence of message symbols
M1 , M2 , . . . , Mn
is encrypted to a sequence of ciphertext symbols
C1 , C2 , . . . , Cn
by
Ci = Mi + Ki (mod l+1) (mod 3), ∀i, 1 ≤ i ≤ n.
a) Determine the unicity distance when l = 64.

Solution Unicity distance is given by

log2 |K| log2 |K|
n0 = = .
RL log2 |P| log2 |P| − HL
Then,
H(K) = log2 |K| = log2 (364 ),
HL = H(M) =
2
X 3
− P (M = i)log2 P (M = i) = .
2
i=0

7
So the unicity distance
log2 (364 )
n0 = ≈ 1194.
log2 3 − 3/2

b) Find all values of l that give perfect secrecy when n = 3.

Hint: Use the fact that for perfect secrecy we must have H(K) ≥ H(M ).

Solution Perfect secrecy means that H(P |C) = H(P ). This is true for l ≥ 3 because
it is one-time pad Vernam cipher (see the book).

Study l = 2: Using the hint for perfect secrecy we have H(K) ≥ H(M ). But for n = 3 we
have 
H(K) = l · log2 3
H(M ) = 3 · 1.5
⇒ no perfect secrecy for l ≤ 2.

Remark: In part a) we were discussing a practical cryptosystem and determined the unicity
distance - the minimum number of symbols we need to send for a unique decryption. In
part b) we are discussing a perfect secrecy and consider a block of fixed length n, that is
considers the encryption of 3-grams (blocks of length 3). The entropy of a block of length
n is equal to H(M n ) ≤ n · H(M ) since we do not have redundancy (frequent bigrams etc.)
as it was the case for English language.
Ex. 1.9 Let n be a positive integer. A Latin square of order n is an n × n matrix

L = (`i,j )1≤i,j≤n

with entries `i,j ∈ {1, . . . , n}, such that each element of the set (1, . . . , n) appears exactly
once in each row and each column of L.

A Latin square defines a cipher over the message space M = {1, . . . , n} and the key space
K = {1, . . . , n}, for which the encryption of a plaintext m ∈ M under a key k ∈ K is defined
by
y = Ck (m) = `k,m

Find a Latin square L of order 4. Using this matrix encrypt the plaintext m = 3 with the
key k = 2.

Did you get the same solution ?

8
 Solution An example of Latin square of order 4 is
 
1 4 3 2
 4 2 1 3 
L=  2

3 4 1 
3 1 2 4

Then C2 (3) = l2,3 = 1.

Example 1.10 a) Given is a block of plaintext letters “BAD” encrypted to “DCG”. Could
this encryption be achieved by an affine cipher defined by,

y = ax + b (mod 26).

Here y denotes ciphertext letters and x denotes the plaintext letters.

Solution NO, we can easily solve for a = 1, b = 2 which is a correct encryption rule
for the first 2 letters, but obviously the third letter is shifted 3 positions.
Inconsistent system of equations.

b) Is this a valid cryptosystem for any a and b ? Discuss your solution.

Solution Not a valid cryptosystem. For instance, take a = 2 and any b. Then

e(0) = 2 · 0 + b = b; e(13) = 2 · 13 + b = b (mod 26).

No unique decryption.