Solutions to Homework 1 Lecturer: Krzysztof Pietrzak, TA: Michael Walter

Modern Crytpography Oct 9, 2018 Solutions to Homework 1 Lecturer: Krzysztof Pietrzak, TA: Michael Walter

To get credit for this homework it must be submitted no later than Wednesday, October 17 via email to [email protected], please use “MC18 Homework 1” as subject.

We did not discuss the Vigen`erecipher in class, it’s described in the book §1.3 and will be discussed in the tutorial.

1.2 Provide a formal deﬁnition of the Gen, Enc, and Dec algorithms for the mono-alphabetic substitution cipher.

Solution Recall that Gen and Enc are randomized algorithms, so we assume they have access to unbiased random bits. We identify the alphabet {A, B, . . . , Z} with the set Σ = {0, 1,... 25}. We give pseudocode to deﬁne the three algorithms.

Gen(): π := [0, 1,..., 25] for i = 25 down to 1 pick j uniformly at random from {0, 1, . . . , i} swap π[i] and π[j] return π

Gen picks a permutation π on Σ = {0, 1,... 25} uniformly at random from all possible permu- tations. The only random choices are made in the loop when selecting j. One might wonder how to select j from a set of the form {0, 1 . . . i} using only unbiased bits. This is easily achieved by selecting dlog2 ie unbiased bits, interpreting them as the binary representation of a number a ∈ {0, 2dlog2 ie}, and repeating until a ≤ i. (This process is known as rejection sampling).

Enc(k = π, m = m1m2 . . . ml):

return c = π[m1]π[m2] . . . π[ml]

Dec(k = π, c = c1c2 . . . cl): for i = 1 to l for j = 0 to 25

if π[j] = ci

mi := π[j]

return m = m1m2 . . . ml

PS1-1 1.5 Show that the shift, substitution, and Vigen`ereciphers are all trivial to break using a chosen- plaintext attack. How much chosen plaintext is needed to recover the key for each of the ciphers?

Solution We identify the alphabet {A, B, . . . , Z} with the set Σ = {0, 1,... 25}.

Shift cipher Recall that an encryption of a character m ∈ Σ is c = m + k mod 26 for some k ∈ Σ. Accordingly, knowing the encryption c of an arbitrary m ∈ Σ allows to compute the key k = c − m mod 26.

Substitution cipher Recall that an encryption of a character m ∈ Σ is c = π[m], where π :Σ 7→ Σ is some permutation. Obtaining an encryption c of m = (0, 1, 2,..., 24), since c = (π[0], π[1], . . . , π[24]) is suﬃcient to recover the key π, since π is a permutation and the last entry is ﬁxed as the remaining one.

Vigen`erecipher Recall that the Vigen`erecipher consists of t independent shift ciphers. Accordingly, it can be broken by obtaining the encryption of a message of length t and applying the above attack to each of the characters.

1.6 Assume an attacker knows that a user’s password is either abcd or bedg. Say the user encrypts his password using the shift cipher, and the attacker sees the resulting ciphertext. Show how the attacker can determine the user’s password, or explain why this is not possible.

Solution Again, we identify the alphabet {A, B, . . . , Z} with the set Σ = {0, 1,... 25} and all ad- ditions are implictely taken mod26. Then the possible passwords are p0 = abcd = (0, 1, 2, 3) and p1 = bedg = (1, 4, 3, 6). Note that all possible encryptions of p0 are C0 = {(k, k + 1, k + 2, k + 3) | k ∈ Σ} and the ones of p1 are C1 = {(k + 1, k + 4, k + 3, k + 6) | k ∈ Σ}. These two sets are disjoint and so checking in which set the ciphertext lies allows to deduce the password.

1.7 Repeat the previous exercise for the Vigen`erecipher using period 2, using period 3, and using period 4.

Solution Recall that the period refers to the length of the key used for the Vigen`erecipher. We use the same notation as in Problem 1.6.

Period 2 Here the sets of possible encryptions are C0 = {(k1, k2 +1, k1 +2, k2 +3) | k1, k2 ∈ Σ} and C1 = {(k1 + 1, k2 + 4, k1 + 3, k2 + 6) | k1, k2 ∈ Σ}. It is easy to see that C0 = C1: let (k1, k2 + 1, k1 + 2, k2 + 3) ∈ C0 for some ﬁxed k1, k2 ∈ Σ. Then it is also in C1, because 0 0 k1 = k1 + 1 and k2 = k2 + 3 are in Σ. The converse is also true. In other words, for every 0 possible encryption c of p0 under key k there is a key k that would have encrypted p1 to c. Since k and k0 are equally likely (since they are chosen from the uniform distribution over Σ × Σ), the adversary has no way of knowing which password was encrypted.

PS1-2 Period 3 Here the sets of possible encryptions are C0 = {(k1, k2 + 1, k3 + 2, k1 + 3) | k1, k2, k3 ∈ Σ} and C1 = {(k1 + 1, k2 + 4, k3 + 3, k1 + 6) | k1, k2, k3 ∈ Σ}. These two sets are disjoint (due to the relationship between the ﬁrst and fourth ciphertext character) and thus one can deduce the password as in Problem 1.6.

Period 4 With key length the same as the message length, the Vigenèrecipher corresponds to the generalized One-Time Pad and is thus perfectly secret. The definition of perfect secrecy implies that the two passwords cannot be distinguished based on the ciphertext. (This is particularly easy to see through the indistinguishabhility definition.)

PS1-3