Network Security and Cryptography

EE 418: Network Security and Cryptography Homework 2 – Solutions Assigned: Tuesday, October 11, 2016, Due: Tuesday, October 25, 2016 Instructor: Tamara Bonaci Department of Electrical Engineering University of Washington, Seattle

Problem 1 For each of the following pairs of integers (x, y), ﬁrst determine whether x−1 mod y exists. Then ﬁnd x−1 (mod y) if it exists. Show all work. (a) x = 5, y = 25

(b) x = 12, y = 29 (c) x = 24, y = 35 (d) x = 17, y = 101

(e) x = 87, y = 102

Solution: (a) x = 5, y = 25 There does not exist an inverse x−1 (mod y) for a pair x = 5, y = 25, since

x = 5 y = 25 = 52, hence gcd(x = 5, y = 25) = 5 6= 1

(b) x = 12, y = 29 There does exist an inverse x−1 (mod y) for a pair x = 12, y = 29, since gcd(x = 12, y = 29) = 1. Let’s show that using the Eucliedan Algorithm:

12 = 0(29) + 12 29 = 2(12) + 5 12 = 2(5) + 2 5 = 2(2) + 1 2 = 2(1) + 0

Now, let’s use the Extended Eucliedan Algorithm to ﬁnd the inverse x−1 (mod y) for a pair x = 12, y = 29:

1 = 5 − 2(2) = 5 − 2[12 − 2(5)] = 5(5) − 2(12) = 5[29 − 2(12)] − 2(12) = 5(29) − 12(12) (1)

From equation (1), it follows that:

12−1 = −12 (mod 29) = 17 (mod 29)

1 Solution: (c) x = 24, y = 35 There does exist an inverse x−1 (mod y) for a pair x = 24, y = 35, since gcd(x = 24, y = 35) = 1. Let’s show that by factorizing x and y:

x = 23 · 3 y = 5 · 7 (2)

From (2), it follows that x and y do not have any common factors, hence gcd(x = 24, y = 35) = 1. Let’s now use the Extended Euclidean Algorithm to ﬁnd the inverse x−1 (mod y) for a pair x = 24, y = 35:

24 = 0(35) + 24 35 = 1(24) + 11 → 11 = 35 − 1(24) 24 = 2(11) + 2 → 2 = 24 − 2(11) 11 = 5(2) + 1 → 1 = 11 − 5(2)

1 = 11 − 5(2) = 11 − 5[(24) − 2(11)] = 11(11) − 5(24) = 11[(35) − (24)] − 16(24) = 11(35) − 16(24) (3)

From (3), it follows that: 24−1 = −16 (mod 35) = 19 (mod 35) (d) x = 17, y = 101 There does exist an inverse x−1 (mod y) for a pair x = 17, y = 101, since both 17 and 101 are prime numbers. Using the Extended Euclidean Algorithm to ﬁnd the inverse x−1 (mod y) for a pair x = 17, y = 101 we get that 17−1 mod (101) = 6. (e) x = 87, y = 102 There does not exist an inverse x−1 (mod y) for a pair x = 87, y = 102, since gcd(x = 87, y = 102) = 3. Let’s show that by factorizing x and y:

x = 87 = 29 · 3 y = 102 = 2 · 3 · 17 (4)

From (4), it follows that x and y do have common factor, d = 3, hence gcd(x = 87, y = 102) = 3.

Problem 2 (Stinson, Problem 1.2) Suppose that a, m > 0 and a 6≡ 0 (mod m). Prove that

(−a) mod m = m − a(modm). (5)

Solution I: In order to prove the statement given by equation (5), let’s use the remainder theorem to represent a as:

a = b · m + r (6)

We next multiply both sides of equation (6) by -1 and rearrange the equation in the following way:

−a = −b · m − r = −b · m + m − m − r = −(b + 1) · m + m − r (7)

2 Equation (7) is, however, nothing but another application of the remainder theorem:

−a = − (b + 1) m + (m − r) = q1 · m + r1 (8) | {z } | {z } q1 r1

Using the fact that a(modm) ≡ r, we can write:

−a mod m = r1 = m − r = m − a mod m (9)

Equation (9) completes the proof.

Solution II: Part one: Suppose that a, m > 0 and a 6≡ 0 mod m, hence for some integers q and r, where 0 ≤ r < m, we can write a as a = mq + r, according to division theorem. By simple algebra, −a = −mq − r, which is −a = m(−q) − r. Then we take mod m on both side. (−a) mod m = (−r) mod m. However, it is equivalent to (−a) mod m = m − r mod m. Since 0 < r < m, then 0 < m − r < m, and m − r mod m = m − r, as the result (−a) mod m = m − r. Part two: On the other hand, since a = mq + r, then a mod m = r, hence −(a mod m) = −r. By adding m on both side, we get m − (a mod m) = m − r By comparing result from both part, (−a) mod m = m − r, m − (a mod m) = m − r, we conclude they are equal, and hence it completes the proof.

Problem 3 (Stinson, Problem 1.6)

If an encryption function eK is identical to the decryption function dK , then the key K is said to be an involutory key. Find all the involutory keys in the Shift Cipher over Z26.

Solution: In order to find all involutory keys in Shift Cipher over Z26, let’s first represent the 5-tuple that defines the cipher:

P = C = K = Z26 y = eK (x) = (x + K) mod 26

x = dK (y) = (y − K) mod 26 (10)

By deﬁnition, a cryptographic key K is involutory key, if:

eK (x) = dK (y) (11)

3 From equation (11), if follows that:

x = eK (eK (x))

= eK [(x + K) mod 26] = [(x + K) mod 26 + K] mod 26 = (x + 2K) mod 26 (12)

From equation (12), the condition for a key to be an involutory key in Shift Cipher over Z26 is given as: 2 · K mod 26 = 0 (13)

From equation(13), we conclude that there are two involutory keys in Shift Cipher over Z26:

K1 = 0; K2 = 13

Problem 4 (Stinson, Problem 1.7)

Determine the number of valid keys (a, b) in an Aﬃne cipher over Zm for m = 30, 100 and 1225.

Solution: Let’s start solving this problem by recalling the deﬁnition of the Aﬃne cipher:

P = C = Zm K = {(a, b): a ∈ Zm and gcd(a, m) = 1, b ∈ Zm} y = eK (x) = (ax + b) mod m −1 x = dK (y) = a (y − b) mod m (14)

From equation (14), it follows that the number of keys in an Aﬃne Cipher over Zm depends on the cardinality ˜ ˜ of the subset Zm, that contains all the elements x ∈ Zm, such that gcd(x, m) = 1. The cardinality of the ˜ subset Zm is determined by the Euler totient (φ) function:

n Y ei ei−1 φ(m) = (pi − pi ) (15) i=1

Qn ei where i=1 pi represents a unique prime factorization of number m. From equation (15), the number of distinct keys in an aﬃne cipher over Zm is deﬁned as:

n Y ei ei−1 # of distinct keys = N(m) = m · φ(m) = m (pi − pi ) (16) i=1

4 For m = 30, 100, 1225, we can write:

30 = 2 · 3 · 5 n Y ei φ(30) = pi = (2 − 1) · (3 − 1) · (5 − 1) = 8 i=1 n Y ei ei−1 N(30) = m · φ(m) = m (pi − pi ) = 30 · 8 = 240 i=1

100 = 22 · 52 n Y ei 2 2 φ(100) = pi = (2 − 2) · (5 − 5) = 2 · 20 = 40 i=1 n Y ei ei−1 3 N(100) = m · φ(m) = m (pi − pi ) = 100 · 40 = 4 · 10 i=1

1225 = 52 · 72 n Y ei 2 2 φ(1225) = pi = (5 − 5) · (7 − 7) = 20 · 42 = 840 i=1 n Y ei ei−1 N(1225) = m · φ(m) = m (pi − pi ) = 1225 · 840 = 1029000 i=1

Problem 5 (Stinson, Problem 1.10)

Suppose K = (5, 21) is a key in an Aﬃne Cipher over Z29. 0 0 0 0 (a) Express the decryption function dK (y) in the form dK = a y + b , where a , b ∈ Z29.

(b) Prove that dK (eK (x)) = x for all x ∈ Z29.

Solution: An Aﬃne Cipher over Z29 is deﬁned by the following 5-tuple:

P = C = Z29 K = {(a, b): a ∈ Z29 and gcd(a, 29) = 1, b ∈ Z29} y = eK (x) = (ax + b) mod 29 −1 x = dK (y) = a (y − b) mod 29 (17)

(a) In order to express the decryption rule (equation (17)) in the form:

0 0 0 0 dK (y) = a y + b , where a , b ∈ Z29 (18)

let’s ﬁrst ﬁnd the multiplicative inverse of a = 5 over Z29 using Extended Euclidean Algorithm: 29 = 5(5) + 4 5 = 1(4) + 1 1 = 5 − 1(4) 1 = 5 − 1(29 − 5(5)) 1 = 6(5) − 29 (19)

5 From equation (19), it follows that a−1 = 6. We can now write:

−1 dK (x) = a (y − b) mod 29 = (a−1y − a−1b) mod 29 = (6y − 126) mod 29 ≡ (6y + 19) mod 29 (20)

Therefore, decryption rule dK (y) can be expressed as dK (y) = (6y + 19) mod 29 (b)We next prove that dK (eK (x)) = x for all x ∈ Z29. In order to prove that dK (eK (x)) = x, let’s express dK (eK (x)) in the following way:

dK (eK (x)) = dk[(5x + 21) mod 29] = 6[(5x + 21) mod 29] + 19 (mod 29) = 30x + 126 + 19 (mod 29) = 30x + 145 (mod 29) = 30x + 145 ≡ x (mod 29) (21)

Equation (21) completes the proof.

Problem 6 (Trappe, Washington, Problem 2.13.3) The following ciphertext was encrypted by an aﬃne cipher: edsgickxhuklzveqzvkxwkzukcvuh The ﬁrst two letter of the plaintext are if. Please decrypt.

Solution: The plaintext is: if you can read this thank a teacher Let’s recall that the first two ciphertext letters, ”ed” (4,3) correspond to plaintext ”if” (8,5). We can apply −1 that to the definition of affine decryption, dk(y) = a (y − b) mod 26, to get the following system of equations:

8 = a−1(4 − b) 5 = a−1(3 − b)

Multiplying both sides with a, we get:

8a = (4 − b) mod 26 5a = (3 − b) mod 26 3a = 1 mod 26

We observe that a−1 = 3, and substitute that back into 5 = a−1(3 − b), which allows us to solve for b = 10. Using the key (a, b) = (3, 10), we can use any software to increase the decryption speed. Below is an example of Matlab code.

ciphertext str ='edsgickxhuklzveqzvkxwkzukcvuh'; ciphertext = convertToNumbers(ciphertext str);

6 a inv = 3; b = 10;

plaintext = mod(a inv*(ciphertext − b),26); plaintext str = convertToString(plaintext); plaintext str

function numArray = convertToNumbers(s)

a = uint8('a'); s = lower(s); for i=1:length(s) t = uint8(s(i)); ift < a numArray(i) = −1; else numArray(i) = double(t − a); end end %numArray= uint8(s) − a; numArray = double(numArray);

function str = convertToString(x)

a = uint8('a');

%x=x+a;

str = char(uint8(x)+a);

Problem 7 (Trappe, Washington, Problem 2.13.4) The following ciphertext was encrypted by an aﬃne cipher using the function 3x + b for some b:

tcabtiqmfheqqmrmvmtmaq Please decrypt.

Solution: The inverse of a can easily be found to be equal to 9. A simple approach to ﬁnding b is to iterate over all 26 possibilities, from 0 to 25, and see what would be reasonable. The plaintext is, twenty six possibilities and below is an example Matlab code you can use to decrypt the given ciphertext:

clear all;clc ciphertext str ='tcabtiqmfheqqmrmvmtmaq'; ciphertext = convertToNumbers(ciphertext str);

a inv = 9; plaintext set = []; for b = 0:25; plaintext = mod(a inv*(ciphertext − b),26); plaintext str = convertToString(plaintext); plaintext set = [plaintext set;plaintext str]; end plaintext set

7 Problem 8 (Stinson, Problem 1.15)

Determine the inverses of the following matrices over Z26. 2 5 (a) M = 1 9 5

 1 11 12  (b) M2 =  4 23 2  7 15 9

8 Solution: Let’s recall that the inverse of the matrix M1 over Z26 exists if the determinant of the given matrix and number 26 are coprime: gcd(det(M1), 26) = 1 (22)

(a) We ﬁrst calculate the determinant det M1 and its inverse over Z26: 2 5 det M = det = −35 (mod 26) = 17 (mod 26); 1 9 5 −1 (det M1) = −3 (mod 26) = 23 (mod 26)

−1 Since gcd(det M1, 26) = gcd(17, 26) = 1, the inverse M1 over Z26 exists and can be calculated as: 5 −5 M −1 = (det M )−1 (mod 26) 1 1 −9 2 5 −5 = 23 (mod 26) −9 2 115 −115 = (mod 26) −207 46 11 15 = (mod 26) 1 20

(b) Similarly, the determinant and its inverse of the matrix M2 over Z26 can be calculated as follows:  1 11 12  det M2 = det  4 23 2  = −3817 (mod 26) = 5 (mod 26); 17 15 9 −1 (det M2) = −5 (mod 26) = 21 (mod 26)

Since gcd(det M2, 26) = gcd(21, 26) = 1, the inverse of M2 over Z26 exists and can be calculated as:  177 −2 −331  −1 M2 = 21  81 −195 172  (mod 26) −254 6 −21  21 3 6  = 21  24 13 20  (mod 26) 7 16 5  441 63 126  =  504 273 420  (mod 26) 147 336 105  25 11 22  =  10 13 4  (mod 26) 17 24 1

Problem 9 (Stinson, Problem 1.16) Suppose that π is the following permutation of {1,..., 8}:

x 1 2 3 4 5 6 7 8 π(x) 4 1 6 2 7 3 8 5

9 (a) Compute the permutation π−1. (b) Decrypt the following ciphertext, for a Permutation Cipher with m = 8, which was encrypted using the key π:

TGEEMNELNNTDROEOAAHDOETCSHAEIRLM

Solution: (a) In every Permutation Cipher, given a permutation π of the set {1, . . . , m}, an associated m × m permutation matrix Kπ = (kij) can be deﬁned according to the formula: ( 1 if i = π(j) ki,j = (23) 0 otherwise

−1 For the given permutation π, the permutation matrix Kπ and its inverse Kπ are deﬁned as follows:  0 0 0 1 0 0 0 0   0 1 0 0 0 0 0 0   1 0 0 0 0 0 0 0   1 0 0 1 0 0 0 0       0 0 0 0 0 1 0 0   0 0 0 0 0 1 0 0       0 1 0 0 0 0 0 0  −1  0 0 0 0 0 0 0 0  Kπ =   ,K =    0 0 0 0 0 0 1 0  π  0 0 0 0 0 0 0 1       0 0 1 0 0 0 0 0   0 0 1 0 0 0 0 0       0 0 0 0 0 0 0 1   0 0 0 0 1 0 0 0  0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0

−1 Reading the Kπ matrix, we obtain the decryption permutation presented in table . (b) In order to decrypt the given ciphertext, we ﬁrst divide it in blocks of size m = 8: TGEEMNEL — NNTDROEO — AAHDOETC — SHAEIRLM

Using the decryption table, we ﬁnally decrypt the ciphertext: Gentlemen do not read each other’s mail.

x 1 2 3 4 5 6 7 8 π−1(x) 2 4 6 1 8 3 5 7

Problem 10 (Trappe, Washington, Problem 2.13.16) Alice is sending a message to Bob using one of the cryptosystems listed below. In fact, Alice is bored and her plaintext consists of one letter (known only to her) repeated a few hundred times. Eve know what system is being used, but not the key, and she intercepts the ciphertext. For systems (a) and (b), state how Eve will recognize that the plaintext is one repeated letter and decide whether or not Eve can deduce the key. For system (c), assume that Eve guesses that the plaintext is one repeated letter, and show how Eve can then deduce the key. (a) Shift cipher,

(b) Aﬃne cipher, (c) Vigenere cipher (assume that the key is an English word of length between 8 and 12 letters.)

10 Solution:

(a) If Alice uses the Shift cipher to repeatedly encrypt a single letter, Eve will recognize that the plaintext is just one repeated letter by simply observing that the ciphertext consists of a single letter repeated multiple times. Having access only to the ciphertext, however, Eve won’t be able to deduce what the cryptographic key using the brute force method since every shift will result in a string of repeated letters, and Eve won’t have a way of knowing which letter did Alice choose.

(b) If Alice uses the Affine cipher to repeatedly encrypt a single letter, Eve will again easily recognize that the plaintext is just one repeated letter. Similar to the Shift cipher, however, Eve again won’t be able to deduce what the cryptographic key is by looking only at the ciphertext. The reason for that is that the cryptographic key in the Affine cipher consists of two parts, scaling element, a, and shifting element, b. Having an access to a ciphertext consisting of a single letter repeated multiple time, Eve won’t be able to find both a and b.

(c) If Eve is able to guess the Alice is using the Vigenere cipher to encrypt a single letter repeated multiple times, then Eve can easily deduce the length of the cryptographic key, by simply observing when a letter repeats for the first time in the given ciphertext. If Eve makes an assumption that the cryptographic key is an English word of the length between 8 and 12 characters, in order to deduce what that key is, she will apply the same brute force approach as she would in the ciphertext only attack against the Shift cipher. The difference here is that the meaningful word that Eve will eventually find is actually the key, and the string of repeated letters is the plaintext.