Professional Documents
Culture Documents
Example 1.0 (Previous exam) You have found an old ciphertext, where you know that the
plaintext discusses cryptographic methods. You suspect that a Vigenere cipher has been
used and therefore look for repeated strings in the ciphertext.
You find that the string TICRMQUIRTJR occurs twice in the ciphertext. The first oc-
currence starts at character position 10 in the text and the second at character position 241
(we start counting from 1).
You make the inspired guess that this ciphertext sequence is the encryption of the plaintext
word cryptography. If this guess is correct, what is the key ?
Hint : Analyze the possible periods.
Solution To estimate the period we use the Kasiski test. The distance between the two
occurrences given is
241 − 10 = 231 = 3 · 7 · 11
positions.
Possible periods are thus 3, 7 and 11. If the guess is correct, we can immediately find the
corresponding shifts: at position 10 the shift is
T − c = 19 − 2 = 17 = r
. Similar computations for the other positions gives the shift keys
rrectcorrect
We now see that this is not periodic with periods 3 or 11, while period 7 is possible. The
keyword of length 7 starts at position 15; hence the keyword is
correct.
Example 1.1 (Previous exam) Alice wants to encrypt some sequence of independent
decimal digits and send to Bob. Let EK denote the encryption function operating on decimal
digits. A sequence of decimal digits M1 , M2 , . . . , Mn ∈ Z10 is encrypted to a sequence of
ciphertext symbols C1 , C2 , . . . , Cn , Ci ∈ Z10 by
Ci = EK (Mi ), ∀i, 1 ≤ i ≤ n.
1
a) Determine which of the following mappings that are possible encryption functions:
EK (M ) = M,
EK (M ) = K,
EK (M ) = M + K,
EK (M ) = M · K,
EK (M ) = M K+1 ,
Solution: a) An encryption function must be bijective (invertible) for all fixed keys
K. Clearly, EK (M ) = M and EK (M ) = M + K are bijective. The others are not bijective
for all K.
b) Determine the unicity distance if the cipher is a simple substitution cipher and
P (M = 0) = P (M = 1) = 4 · P (M = 2),
together with
P (M = 2) = P (M = 3) = · · · =
P (M = 8) = P (M = 9).
Hint: Use the formula for unicity distance and approximate HL as H(M ), that is HL = HM .
HL
RL = 1 −
log2 |P|
P (M = 0) = P (M = 1) = 4 · P (M = i), i ∈ [2, 9]
X9
P (Mi ) = 1.
i=0
1 1
⇒ P (M = 0) = ; P (M = 2) = .
4 16
2
log2 |K| = H(K) = log2 (10!)
log2 |P| = H(P ) = log2 (10)
1 1 1 1
HL = H(M ) = −2 log2 − 8 log2 =3
4 4 16 16
So
log2 (10!)
n0 = = 67.8 ≈ 68
log2 (10) − 3
Example 1.2 a) Let p be prime. How many 2 × 2 invertible matrices are there over
Zp ?
Hint: A matrix over a field is invertible iff its rows are linearly independent vectors.
Solution First row can be selected in (p2 − 1) ways (not the all zero). The second row in
(p2 − p) ways (no linear combination of the first row).
Solution Obviously not - the sum of the first row and the 2× second row and the third
row gives,
(2 + 2 · 2 + 0 = 0, 1 + 2 · 2 + 1 = 0, 1 + 2 · 1 = 0) (mod 3).
Ex. 1.3 Suppose a cryptosystem achieves perfect secrecy for a particular plaintext
distribution p0 . Prove that perfect secrecy is achieved for any probability distribution of
3
plaintext.
P (x|y) = P (x), ∀x ∈ P ∀y ∈ C.
Bayes Theorem
P (x)P (y | x)
P (x | y) =
P (y)
gives that this is equivalent to
P (y|x) = P (y), ∀x ∈ P ∀y ∈ C.
The latter expression is independentof P (x). This implies that if a system with perfect
secrecy changes the distribution on P (x) then the above equation will not be affected and
we still have perfect secrecy.
Ex. 1.4 Show that a unicity distance of the Hill Cipher (with an m × m matrix) is
less than m/RL . Recall that the unicity distance is
log2 |K|
n0 =
RL log2 |P|
Hint: Use as the upper bound for the number of keys the total number of m × m matrices.
Solution The number of keys is strictly less than the number of m × m matrices over
Z26 i.e.
2
|K| < 26m total number of matrices
log2 |K| < m2 log2 26
Now
|P | = 26m
so the unicity distance is
log2 |K|
n0 = < m/RL
RL log2 |P |
4
Solution In the Shift cipher called S
Ex. 1.6 Suppose S1 and S2 are Vigenere ciphers with keyword lengths m1 , m2 respec-
tively, where m1 > m2 .
Hint: Represent the encryption function in a convenient way.
1
From now on everything is repeated km 2
= k11 and km = k12 .
1 +1 2 +1
S2 × S1 = S3 ,
5
Hint: Compare the number of the keys.
b) Number of keys in S2 × S1 is
0 1
A a b
B b a
8
Solution a) Pr(a) = Pr(0) · Pr(A) + Pr(1) · Pr(B) = 15 . Use the Bayes’ theorem to
compute,
3 2
Pr(0) · Pr(a|0) · 3
Pr(0|a) = = 583 = .
Pr(a) 15
4
Pr(0|a) 6= Pr(a)
6
This is equivalent (see above) that Pr(a) = Pr(a|0) = Pr(A) which implies,
Pr(0) · Pr(A) + Pr(1) · Pr(B) = Pr(A)
Pr(0) · Pr(A) + Pr(1) · (1 − Pr(A)) = Pr(A)
Pr(1)
⇒ Pr(A) = =
1 − Pr(0) + Pr(1)
2/5 1
=
1 − 3/5 + 2/5 2
c) What about the secrecy now ?
Let the key K = (K1 , . . . , Kl ), Ki ∈ {0, 1, 2}, be chosen uniformly from the set of l-tuples.
A sequence of message symbols
M1 , M2 , . . . , Mn
is encrypted to a sequence of ciphertext symbols
C1 , C2 , . . . , Cn
by
Ci = Mi + Ki (mod l+1) (mod 3), ∀i, 1 ≤ i ≤ n.
a) Determine the unicity distance when l = 64.
7
So the unicity distance
log2 (364 )
n0 = ≈ 1194.
log2 3 − 3/2
Solution Perfect secrecy means that H(P |C) = H(P ). This is true for l ≥ 3 because
it is one-time pad Vernam cipher (see the book).
Study l = 2: Using the hint for perfect secrecy we have H(K) ≥ H(M ). But for n = 3 we
have
H(K) = l · log2 3
H(M ) = 3 · 1.5
⇒ no perfect secrecy for l ≤ 2.
Remark: In part a) we were discussing a practical cryptosystem and determined the unicity
distance - the minimum number of symbols we need to send for a unique decryption. In
part b) we are discussing a perfect secrecy and consider a block of fixed length n, that is
considers the encryption of 3-grams (blocks of length 3). The entropy of a block of length
n is equal to H(M n ) ≤ n · H(M ) since we do not have redundancy (frequent bigrams etc.)
as it was the case for English language.
Ex. 1.9 Let n be a positive integer. A Latin square of order n is an n × n matrix
L = (`i,j )1≤i,j≤n
with entries `i,j ∈ {1, . . . , n}, such that each element of the set (1, . . . , n) appears exactly
once in each row and each column of L.
A Latin square defines a cipher over the message space M = {1, . . . , n} and the key space
K = {1, . . . , n}, for which the encryption of a plaintext m ∈ M under a key k ∈ K is defined
by
y = Ck (m) = `k,m
Find a Latin square L of order 4. Using this matrix encrypt the plaintext m = 3 with the
key k = 2.
8
Solution An example of Latin square of order 4 is
1 4 3 2
4 2 1 3
L= 2
3 4 1
3 1 2 4
Example 1.10 a) Given is a block of plaintext letters “BAD” encrypted to “DCG”. Could
this encryption be achieved by an affine cipher defined by,
y = ax + b (mod 26).
Solution NO, we can easily solve for a = 1, b = 2 which is a correct encryption rule
for the first 2 letters, but obviously the third letter is shifted 3 positions.
Inconsistent system of equations.
Solution Not a valid cryptosystem. For instance, take a = 2 and any b. Then
No unique decryption.