CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES A selection of the following questions will be chosen by the lecturer to form the Cryptology Assignment. The Cryptology Assignment is due by 5pm Sunday 1 June 2008. The questions with a * are extension questions, and will not be included in the assignment. Questions: 1. The following messsage has been sent using the affine cipher with encryption rule e k (x) = 9x + 11. BWVYRWLGGBVPVVA Decipher the message. 2. The following messsage has been sent using the affine cipher with encryption rule e k (x) = 3x 8. Decipher the message. XNEHIREYSUXQUVSB 3. You receive the message ZBBAKLBTWEHCGGCB Decipher the message, given that it has been encrypted using an Autokey cipher with key k in the range 15 to 19. 4. You receive the message DQIXFQETXPPZZR Decipher the message, given that it has been encrypted using an Autokey cipher with key k in the range 12 to 19. 5. Stream ciphers are often used with binary alphabets; i.e., P = C = Z 2 = {0, 1} under addition and multiplication mod 2. The encryption and decryption functions are just addition mod 2: e z (x) = x + z and d z (y) = y z = y + z (mod 2). The key stream is given by a linear recurrence relation, such as z i+3 = z i + z i+1 + z i+2 (mod 2). Given that the above relation holds for i > 0 and that z 1 = 1, z 2 = 0, z 3 = 1, successively compute the keys z 4,..., z 16 and find the ciphertext y 1 y 2... y 15 for the plaintext 1 1 1 1 1 0 0 0 0 0 1 1 1 1 1 Is the keystream periodic? If so, what is the period?
6. Suppose you intercept a ciphertext and the first 12 letters are: ALMZRPIAFOMY You know that it was encrypted with a Hill cipher with key A a 2 2 matrix, and that the plaintext starts with the word WHEN. Find the corresponding plaintext. (NOTE: You will need to solve linear equations in Z 26. When calculating with large numbers 25, 24, 23,... it may be easier to use 1, 2, 3,... respectively (as 25 1 (mod 26), etc.).) 7. The following ciphertext is intercepted: MLGAPOXUJLVSIO You know that it was encrypted with a Hill cipher with key A a 2 2 matrix, and that the plaintext starts with the word JAMES. Find the plaintext. 8. Give a reason why the matrix ( ) 0 4 cannot be used as the key for a Hill cipher operating on Z 1 17 26. 9. An Affine Hill Cipher is the following modification of the Hill Cipher: Let m be a positive integer and let P = C = Z m 26. A key K consists of an m m invertible matrix A over Z 26 and a vector b Z m 26. For a plaintext string of length m, (x 1, x 2,..., x m ) P and a key K = (A, b) K, we have (y 1, y 2,..., y m ) = e K ((x 1, x 2,..., x m )) = (x 1, x 2,..., x m )A + b a 11 a 12... a 1m a 21 a 22... a 2m = (x 1, x 2,..., x m )... + (b 1, b 2,..., b m ). a m1 a m2... a mm Suppose that Oscar has learned that m = 3 and that the plaintext string is encrypted to the ciphertext string Compute the key that was used. ADA YAT ABE ACH AND AGA MEO FVO LLE YBA LLZ HDQ UVN RFO KJZ SQU NGF FGX GEE WEM BDG LZC 10. (a) The permutation cipher is defined as follows. Fix a natural number m. The key space consists of all permutations on m symbols, and both the plaintext and ciphertext spaces consist of sequences of m letters in the English alphabet. To encrypt a message, it is broken into blocks of length m, each of which is permuted according to the chosen permutation. The permuted blocks are put together and sent as the ciphertext. (The final block may be padded out if necessary with random letters.) For example, suppose m = 3 and the key is π = ( ) 1 2 3 (that is, 1 maps to 3; 2 maps to 1 and 3 1 2 3 maps to 2). Then message is encrypted by m e s s a g e e t e s m a g s e t e and the ciphertext is ESMAGSETE. (Two random letters e and t have been added.) Decipher the following message, given that it was encrypted with a permutation cipher with m = 5.
HITEHRYSOTODOCFNDEASEBCDOKIRAEESNTG (b) A special case of the permutation cipher is as follows. Let m and n be positive integers. Write out the plaintext, by rows, in m n rectangles. Then form the ciphertext by taking the columns of these rectangles. For example, with m = 3 and n = 4 we would encrypt the plaintext cryptography by forming the following rectangle: c r y p t o g r a p h y The cipher text would then be CTAROPYGHPRY. (i) Describe how Bob would decrypt a ciphertext (given values for m and n). (ii) Decrypt the following ciphertext, which was obtained using this method of encryption: AYSLSUWAMASETORHSKACNTAOWEOSARTLIHGTHUMUYSOE 11. It is sometimes convenient to use the same encryption and decryption key. In the case of the Hill cipher, this means that the key A would be a matrix that satisfies A = A 1, i.e., A 2 = I. Such a matrix is called involutory. Determine all involutory 2 2 matrices with entries in Z 26. (Hint: what is the determinant of an involutory matrix?) 12. Let P = C = Z 2 and recall the stream cipher described in Question 5 above. More generally, we can generate a keystream using a linear recurrence relation of degree m as follows: we choose initial keys k = (k 1,..., k m ), c = (c 0,..., c m 1 ) Z m 2 and generate a keystream z 1z 2... by letting z i = k i, i = 1,..., m and using the linear recurrence relation z i+m = c 0 z i + c 1 z i+1 +... + c m 1 z i+m 1 (mod 2) to generate z i, i > m. If c 0,..., c m are chosen carefully, then any initial vector k will give rise to a keystream with a period 2 m 1. (So a short key can give rise to a keystream having a long period which makes it harder to break using a ciphertext only attack.) Another appealing aspect of this method of keystream generation is that thekeystream can be produced efficiently in hardware using a linear feedback shift register with m stages (see Stinson for more information). This cryptosystem is vulnerable to known plaintext attack. Suppose Oscar knows a plaintext string and the corresponding cipher text x 1 x 2... x 15 = 011001111111001 y 1 y 2... y 15 = 101101011110011. To make our calculations for this question easier, we also suppose that Oscar knows that m = 5. (a) Find the corresponding keystream bits z 1 z 2... z 15. (b) Explain why Oscar needs to solve the matrix equation z 1 z 2... z m z 2 z 3... z m+1 (z m+1, z m+2,..., z 2m ) = (c 0, c 1,..., c m 1 )... z m z m+1... z 2m 1 and write down the relevant matrix equation for this example. (c) Verify that 1 1 1 0 1 0 0 1 0 0 1 1 0 1 0 0 1 0 0 1 0 0 1 0 0 1 = 0 0 0 0 1 1 0 0 1 0 0 1 0 1 1. 0 0 1 0 0 1 0 1 1 0 [Recall: A matrix A has inverse B if and only if AB = I where I is the identity matrix.]
(d) Hence find the values c 0,..., c 4 and determine the linear recurrence relation used. 13. A block of ciphertext from a Vignére cipher is recieved, and the trigram AZQ is observed to occur at places 3, 21 and 45. Use the Kasiski test to find possible lengths of the codeword. 14. (i) A piece of English text has been encrypted using both the Substitution and Vignére ciphers. The two ciphertexts are given below. Compute the index of coincidence for both and use it to show that (a) is the Vigenere cipher and (b) is the Substitution cipher. (i) VBPUSYNGABTPUSDVZHPWLUSNGVEFGWLGPUSGRMEFOINHNVL (ii) NZXLIKDVIQHXLILNOOKNSLITXLNVVDAVXLICIANVDPDXTNR (a) Letter Freq Letter Freq A 1 N 4 B 2 O 1 C 0 P 4 D 1 Q 0 E 2 R 1 F 2 S 4 G 5 T 1 H 2 U 4 I 1 V 4 J 0 W 2 K 0 X 0 L 3 Y 1 M 1 Z 1 (b) Letter Freq Letter Freq A 2 N 6 B 0 O 2 C 1 P 1 D 4 Q 1 E 0 R 1 F 0 S 1 G 0 T 2 H 1 U 0 I 6 V 5 J 0 W 0 K 2 X 5 L 6 Y 0 M 0 Z 1 (iii) Decrypt the Vigenere cipher given in the above question. (Hint: look for a common trigram and use the Kasiski test to determine the length of the codeword. Guess the plaintext corresponding to the trigram and hence find the codeword.) 15. Prove the second half of Theorem 3.5 from lectures. That is, suppose that (K, C, P, E, D) is a cryptosystem with K = P = C. Show that if (i) every key k is used with equal probability 1/ K ; (ii) for every x P and y C there is a unique key k such that e k (x) = y then the cryptosystem provides perfect secrecy. 16. Consider a cryptosystem with plaintext space P = {A, B, C}, ciphertext space C = {a, b, c, d} and keyspace K = {k 1, k 2, k 3, k 4 }. Suppose that the probability distributions p P on P and p K on K are given by p P (A) = 3 8, p P(B) = 1 2, p P(C) = 1 8, p K (k 1 ) = 1 4, p K(k 2 ) = 1 4, p K(k 3 ) = 1 8, p K(k 4 ) = 3 8. Suppose that the encryption functions are given by the table A B C e k1 a b c e k2 a c d e k3 b c a e k4 d a b
(i) Find p C (c). (ii) Find p C (c B). (iii) Find p P (B c). (iv) Does the system have perfect secrecy? 17. Consider a cryptosystem (P, C, K, E, D) with plaintext space P = {A, B, C}, keyspace K = {k 1, k 2, k 3 } and ciphertext space C = {a, b, c, d}. Suppose that the encryption functions are: A B C e k1 a b c e k2 d a b e k3 c d b The probability distribution on P is p P and the probability distribution on K is p K, where p P (A) = 1/2, p P (B) = p P (C) = 1/4 and p K (k 1 ) = p K (k 2 ) = p K (k 3 ) = 1/3. Find (a) p C (c); (b) p C (c A); (c) p P (A c). Does this system have perfect secrecy? Explain your answer. 18. (a) Find all positive integer solutions to 14x + 8y = 64. (b) Find all integer solutions to 91x + 357y = 1260. 19. (a) Find all integer solutions to 6x+21y = 27. Hence find all positive integer solutions to this equation. (b) Find all integer solutions to 115x + 395y = 1260. (c) Find all integer solutions to 131x + 288y = 1. Hence solve the congruence 131x 1 (mod 288). 20. (a) Solve the congruence 21x 14 (mod 35) (that is, find all solutions mod 35). (b) Find 531 1 (mod 1024). 21. (a) Solve the congruence 25x 10 (mod 35) (that is, find all solutions mod 35). (b) Find 160 1 (mod 841). 22. Find, if possible, 230 1 (mod 1023) and 36 1 (mod 1023). 23. Let n be a positive integer. A Latin square of order n is an n n array L of the integers 1, 2,..., n such that each integer appears exactly once in each row and column. For any Latin square L, we can form a cryptosystem with K = P = C = {1, 2,..., n} and for each key k the encryption rule e k (j) = L(k, j). Under what conditions does this system give perfect secrecy? Prove your assertion. 24. Use Fermat s Theorem to compute the following by hand (a) 19 154 (mod 29); (b) 13 110 (mod 17); (c) 2 60 (mod 29); (d) 11 90 (mod 23).
25. One very useful test to determine if the odd integer n is prime is to use Fermat s Theorem. Namely, if we can find an integer a such that a n 1 1 (mod n), then we know that n is not a prime number. But the converse is not true. Suppose that n = pq, where p and q are distinct (odd) primes. (a) Show that if and only if (Hint: consider a pq (mod pq), etc.) (b) Use this fact to construct examples in which (i) a n 1 1 (mod n) but n is not prime; a n 1 = a pq 1 1 (mod n) a p 1 1 (mod q) and a q 1 1 (mod p). (ii) a n 1 1 (mod n). Make sure that your examples are not trivial: in other words, n > 1 and a ±1 (mod n). 26. Consider RSA with modulus n = 17 19 = 323 and exponent b = 131. (a) Find the decryption exponent a. (b) You receive the ciphertext y 1 = 242, y 2 = 143. Find the first letter of the plaintext. (For this question you may need the solution to question 17(c) above.) 27. The following message has been sent using the RSA system with the key n = 1363, b = 87: Decipher the message. 893, 1265, 406, 171, 980, 1040, 12, 1152, 573. 28. The following message has been sent using the RSA system with the key n = 2173, b = 61: Decipher the message. 956, 2111, 1279, 1646, 1938, 1633, 481, 592, 1450. 29. Bob uses the ElGamal public key cryptosystem with prime p = 167 and primitive element e = 23. His private key is a = 15. (a) Calculate Bob s public key f. (b) Charlie wants to send the message m = 2 to Bob. He randomly chooses the number k = 10 to encipher his message. Find the ciphertext that Charlie sends to Bob. (c) Alice encrypts her age and sends the ciphertext (3, 154) to Bob. Decrypt this ciphertext to find Alice s age. 30. The following gives a way that Oscar can forge Bob s signature using the ElGamal Signature Scheme. If Oscar chooses c 1 and c 2 and tries to solve for the message m, he is faced with the Discrete Logarithm problem: namely the computation of log e f c 1 c c 2 1 mod p. Hence Oscar cannot sign a random message using this approach. However, Oscar can sign certain messages as follows: Suppose i, j Z p 1 and (j, p 1) = 1. Let c 1 = e i f j (mod p) c 2 = c 1 j 1 (mod p 1) m = c 1 ij 1 (mod p 1) Prove that (c 1, c 2 ) is a valid signature for the message m.
(Note that this method produces valid forged signatures, but they don t allow an opponent to forge a signature on a message that they choose, so it is a minimal threat to the security of the ElGamal Signature Scheme.) 31. This exercise provides an example of protocol failure. It shows how if a cryptosystem is used in a careless way the ciphertext can be decrypted by an opponent without determining the key. Suppose that Bob has an RSA cryptosystem with modulus n and exponent b 1, and that he supplies his friend Charlie the same modulus n but chooses a different key b 2 with (b 1, b 2 ) = 1. Thus Charlie uses the RSA cryptosystem with modulus n and exponent b 2. Consider the situation that arises if Alice encrypts the same plaintext x and sends it to both Bob and Charlie. Thus, she computes y 1 = x b 1 (mod n) and y 2 = x b 2 (mod n), sending y 1 to Bob and y 2 to Charlie. Suppose that Oscar intercepts y 1 and y 2 and computes c 1 and c 2 such that c 1 b 1 + c 2 b 2 = 1. (Why can he do this?) computes x 1 = y c 1 1 yc 2 2 (mod n). (a) Show that the value x 1 computed by Oscar is, in fact, Alice s plaintext x. (b) Illustrate this attack by computing x if n = 15857, b 1 = 77, b 2 = 1879, y 1 = 14742, 8678 and y 2 = 1531, 8013. 32. Suppose Bob is using the ElGamal Signature Scheme and he signs two messages m 1 and m 2 using the same key k giving signatures (c 1, c 2 ) and (c 1, c 2 ) respectively. (a) Show that if (c 2 c 2, p 1) = 1, then k can be efficiently computed. (b) Describe how the signature scheme can be broken once k is known. 33. Consider the following variation of the ElGamal Signature Scheme. The setup of the scheme is the same as in lectures, with the following change: c 2 = (m kc 1 )a 1 (mod p 1). (a) Bob sends m, c 1, c 2 to Alice. Show how Alice verifies that c 1, c 2 is a valid signature for the message m. (b) Describe a computational advantage of this modified scheme over the original scheme. 34. The Blom Key Distribution Scheme Suppose we have a group of n people {P 1,..., P n }, and we want any ( two people to share a common secret key. One way to do this is to have a trusted dealer D generate n ) 2 keys kij where k ij is the key shared by P i and P j and then securely give each person the n 1 keys associated with them. This involves a lot of communication, and each person has to store a lot of secret information. The Blom Scheme reduces both of these. initialisation The dealer choses a large prime p and values y 1,..., y n Z p where y i is associated with P i. The dealer choses random a, b, c Z p and forms the polynomial f(x, y) = a + b(x + y) + cxy (mod p). public information: p, y 1,..., y n. secret information: the dealer securely gives P i the polynomial g i (x) = f(x, y i ) (mod p). keys: P i and P j have common key k ij = f(y i, y j ). Suppose p = 131, y 1 = 1, y 2 = 2, y 3 = 3, y 4 = 4 and f(x, y) = 11 + 87(x + y) + 2xy. (i) Write down the secret information D sends P 1, P 2, P 3, P 4. (ii) Write down the 6 keys k ij.
(iii) Show how P 1 and P 2 calculate k 12. (iv) Show that P 3 cannot determine any information about k 12. (v) Show that if P 3, P 4 cooperate, then they can find k 12. 35. Suppose we have a Shamir (4, 10)-threshold scheme with x i = i for i = 1,..., 10 in Z 131. Suppose P 2, P 5, P 6 and P 8 pool their shares y 2 = 106, y 5 = 8, y 6 = 34, y 8 = 14. Calculate the secret key. Hence find the shares of the remaining participants. 36. Suppose we have a Shamir (3, 7)-threshold scheme with x i = i for i = 1,..., 7 in Z 23. Suppose that P 1, P 4, P 6 pool their shares y 1 = 5, y 4 = 16, y 6 = 3. Calculate the secret key and find the shares of P 2 and P 3.
Using Excel with ciphers Calculations by Computer You can use Excel to help do some of the calculations required for these ciphers. You can convert letters into numbers and back as follows. If you type in the command code(a) Excel returns the number 65. We want A to map to 0, so we if we use the command Excel returns the number as required. code(a) 65 The command char(65) returns the letter A. Similarly, char(66)=b,...,char(90)=z. So for example, to turn a letter * into the corresponding number, use the command 0 code( ) 65 and to turn the number * into the corresponding letter, use the command char( + 65) You can also use the command MOD(number,divisor) in excel. For example, use mod(, 26) to find the remainder of the number * when it is divided by 26. For students who have access to Maple or Matlab, you can use the following commands. power(25,2) mod 67; calculates 25 2 (mod 67) d:=igcd(69,3372); calculates d = gcd(69, 3372) d:=igcdex(69,3372, s, t ); calculates d as above and also finds integers s, t with d = sa + tb. ifactor(3902); factorizes 3902 into primes isprime(337937); tests the number for primality nextprime(1000342394); finds the next prime after the given number All of the above functions should be available in Matlab by just typing maple( function ) to get Matlab to call Maple and implement the command function. For example, after typing matlab you could try maple( power(25,2) mod 67 )