EE 595 (PMP) Introduction to Security and Privacy

Homework 1 – Solutions
Assigned: Tuesday, January 17, 2017, Due: Sunday, January 28, 2017
Instructor: Tamara Bonaci
Department of Electrical Engineering
University of Washington, Seattle

Problem 1
For each of the following pairs of integers (x, y), first determine whether x−1 mod y exists. Then find x−1
(mod y) if it exists. Show all work.
(a) x = 5, y = 25
(b) x = 24, y = 35
(c) x = 17, y = 101

Solution:
(a) x = 5, y = 25
There does not exist an inverse x−1 (mod y) for a pair x = 5, y = 25, since

x = 5
y = 25 = 52 , hence
gcd(x = 5, y = 25) = 5 6= 1

(b) x = 24, y = 35
There does exist an inverse x−1 (mod y) for a pair x = 24, y = 35, since gcd(x = 24, y = 35) = 1. Let’s
show that by factorizing x and y:

x = 23 · 3
y = 5·7 (1)

From (1), it follows that x and y do not have any common factors, hence gcd(x = 24, y = 35) = 1.
Let’s now use the Extended Euclidean Algorithm to find the inverse x−1 (mod y) for a pair x = 24, y = 35:

24 = 0(35) + 24
35 = 1(24) + 11 → 11 = 35 − 1(24)
24 = 2(11) + 2 → 2 = 24 − 2(11)
11 = 5(2) + 1 → 1 = 11 − 5(2)

1 = 11 − 5(2)
= 11 − 5[(24) − 2(11)] = 11(11) − 5(24)
= 11[(35) − (24)] − 16(24) = 11(35) − 16(24) (2)

From (2), it follows that:

24−1 = −16 (mod 35) = 19 (mod 35)
x = 17, y = 101
There does exist an inverse x−1 (mod y) for a pair x = 17, y = 101, since both 17 and 101 are prime
numbers.
Using the Extended Euclidean Algorithm to find the inverse x−1 (mod y) for a pair x = 17, y = 101 we get
that 17−1 mod (101) = 6.

1
Problem 2
If an encryption function eK is identical to the decryption function dK , then the key K is said to be an
involutory key. Find all the involutory keys in the Shift cipher over Z26 .

Solution: In order to find all involutory keys in Shift cipher over Z26 , let’s first represent the 5-tuple that
defines the cipher:

P = C = K = Z26
y = eK (x) = (x + K) mod 26
x = dK (y) = (y − K) mod 26 (3)

By definition, a cryptographic key K is involutory key, if:

eK (x) = dK (y) (4)

From equation (4), if follows that:

x = eK (eK (x))
= eK [(x + K) mod 26]
= [(x + K) mod 26 + K] mod 26
= (x + 2K) mod 26 (5)

From equation (5), the condition for a key to be an involutory key in Shift cipher over Z26 is given as:

2 · K mod 26 = 0 (6)

From equation(6), we conclude that there are two involutory keys in Shift cipher over Z26 :

K1 = 0; K2 = 13

Problem 3
Suppose K = (5, 21) is a key in an Affine cipher over Z29 .

(a) Express the decryption function dK (y) in the form dK = a0 y + b0 , where a0 , b0 ∈ Z29 .
(b) Prove that dK (eK (x)) = x for all x ∈ Z29 .

Solution: An Affine cipher over Z29 is defined by the following 5-tuple:

P = C = Z29
K = {(a, b) : a ∈ Z29 and gcd(a, 29) = 1, b ∈ Z29 }
y = eK (x) = (ax + b) mod 29
x = dK (y) = a−1 (y − b) mod 29 (7)

2
 Solution: (a) In order to express the decryption rule (equation (7)) in the form:

dK (y) = a0 y + b0 , where a0 , b0 ∈ Z29 (8)

let’s first find the multiplicative inverse of a = 5 over Z29 using Extended Euclidean Algorithm:

29 = 5(5) + 4
5 = 1(4) + 1
1 = 5 − 1(4)
1 = 5 − 1(29 − 5(5))
1 = 6(5) − 29 (9)

From equation (9), it follows that a−1 = 6. We can now write:

dK (x) = a−1 (y − b) mod 29

= (a−1 y − a−1 b) mod 29
= (6y − 126) mod 29
≡ (6y + 19) mod 29 (10)

Therefore, decryption rule dK (y) can be expressed as dK (y) = (6y + 19) mod 29
(b)We next prove that dK (eK (x)) = x for all x ∈ Z29 .
In order to prove that dK (eK (x)) = x, let’s express dK (eK (x)) in the following way:

dK (eK (x)) = dk [(5x + 21) mod 29]

= 6[(5x + 21) mod 29] + 19 (mod 29)
= 30x + 126 + 19 (mod 29)
= 30x + 145 (mod 29)
= 30x + 145 ≡ x (mod 29) (11)

Equation (11) completes the proof.

Problem 4
The following ciphertext was encrypted using an Affine cipher:
edsgickxhuklzveqzvkxwkzukcvuh
The first two letter of the plaintext are if . Please decrypt.

The plaintext is:

if you can read this thank a teacher
Let’s recall that the first two ciphertext letters, ”ed” (4,3) correspond to plaintext ”if” (8,5). We can apply
that to the definition of affine decryption, dk (y) = a−1 (y − b) mod 26, to get the following system of
equations:

8 = a−1 (4 − b)
5 = a−1 (3 − b)

3
 Multiplying both sides with a, we get:

8a = (4 − b) mod 26
5a = (3 − b) mod 26
3a = 1 mod 26

We observe that a−1 = 3, and substitute that back into 5 = a−1 (3 − b), which allows us to solve for b = 10.
Using the key (a, b) = (3, 10), we can use any software to increase the decryption speed. Below is an example
of Matlab code.

ciphertext str = 'edsgickxhuklzveqzvkxwkzukcvuh';

ciphertext = convertToNumbers(ciphertext str);
a inv = 3;
b = 10;

plaintext = mod(a inv *(ciphertext − b),26);

plaintext str = convertToString(plaintext);
plaintext str

function numArray = convertToNumbers(s)

a = uint8('a');
s = lower(s);
for i=1:length(s)
t = uint8(s(i));
if t < a
numArray(i) = −1;
else
numArray(i) = double(t − a);
end
end
%numArray = uint8(s) − a;
numArray = double(numArray);

function str = convertToString(x)

a = uint8('a');

%x = x + a;

str = char(uint8(x)+a);

Problem 5
Alice is sending a message to Bob using the Vigenére cryptosystem. At some point, Alice gets bored, and
starts sending plaintext that consists of a single letter (known only to her) repeated a few hundred times.
Eve knows that the Vigenére cipher is being used, and that the plaintext consists of a single letter, repeated.
Show how Eve can deduce the key.

4
 Solution: Let’s assume that Alice sends some number, and let’s denote that number as ’x’. Let’s now
assume that the key length is equal to m. Now we have the following case.
plaintext: x x x x x x x x x x x x . . .
ciphertext: c1 c2 . . . cm c1 c1 . . .
Since Alice is constantly encrypting the same number ’x’, eventually we will observe that the ciphertext is
some periodic sequence. The period indicates the length m of the Vigenere cipher. Another feature we can
observe is the fixed difference between ci and ci+1 , where i = 1 . . . m − 1. Therefore, we can represent any
ci in term of c1 . As the result, the size of key space is reduced to 26. For any new ciphertext, we can then
try at most 26 times to encrypt the message.

Problem 6
Evan, an attacker, is on a mission. He is given a (plaintext, ciphertext) pair (relation, ORIENTAL), and his
task is to determine the complete cryptographic key (table), if the given pair is generated using:
(a) Permutation cipher,
(b) Substitution cipher.

Please put your “black hat” on, and show Evan how to accomplish this mission, or show why it is impossible.
In doing so, please assume that the set of possible plaintexts is equal to the set of possible ciphertexts, and
that it is equal to Z26 .
Solution:

(a) The mission is possible if the given (plaintext, ciphertext) pair is obtained using the Permutation
cipher. To see that, let’s recall that with this cipher, the ciphertext is generated by altering the
positions of the characters in the plaintext, i.e., rearranging the alphabets using a permutation.
The given mission might be slightly harder, if we assume that Evan doesn’t know the key length, where
the key length determines the number of letters that are considered when determining the permutation.
However, even if the key length is unknown, Evan can still proceed, by finding the key length via a
trial-and-error method. In doing so, we can make Evan’s job significantly simpler by observing that
the length of the given plaintext needs to be divisible (without a remainder) with the key length. In
Evan’s case, the only meaningful key would be those of length 2, 4 and 8, and the actual key length is
8. The obtained permutation table is given below, in Table 1.
(b) The mission at hands is impossible if the given (plaintext, ciphertext) pair is obtained using the
Substitution cipher. To see that, let’s recall that the main idea of the substitution cipher is to replace
each letter of the plaintext alphabet with an alphabet at an arbitrary distance. It is important to note
that we need to be able to replace every plaintext alphabet. Since our (plaintext, ciphertext) pair
is rather short (only eight letters), we can only determine a part of the key (a part of the substitution
table), but not the whole table. The partial table looks as follows:

j 1 2 3 4 5 6 7 8
π(j) 2 4 8 7 6 3 1 5

Table 1: Permutation table obtained as a solution in Problem 4.

x a e i l n o r t
π(x) E R T I L A O N

Table 2: Partial encryption table for Substitution cipher.

5
Problem 7
Consider the DES cryptosystem. Suppose that the key scheduling algorithm (the algorithm used to compute
the round keys) is as follows. For a given key K, the algorithm first computes round keys K1 , . . . , K8 for
the first eight rounds. The algorithm then sets

K9 = K8 , K10 = K7 , . . . , K16 = K1 ,

so that Ki = K16−i+1 for all i = 1, . . . , 16. (Note that the DES key scheduling algorithm does not actually
work this way.) Suppose that you are given a ciphertext Y . Show how to determine the plaintext x using a
chosen plaintext attack. Recall that in a chosen plaintext attack, an attacker is given a ciphertext Y . The
attacker is allowed to choose a plaintext x0 6= x and receives the ciphertext Y 0 = EK (x0 ). The attacker then
attempts to compute the plaintext x satisfying Y = EK (x).

Solution: The approach is to choose the plaintext (L00 , R00 ) equal to (R16 , L16 ), i.e., to reverse the blocks of
the ciphertext. Consider the first round of the encryption. By definition of the DES encryption, L01 = R00
and R10 = f (K1 , R00 ) ⊕ L00 . Substituting the values of L00 and R00 gives

L01 = L16
R10 = f (K1 , L16 ) ⊕ R16

On the other hand, consider the DES decryption of the original ciphertext (L16 , R16 ). By definition, we have

R15 = L16
L15 = R16 ⊕ f (L16 , K16 ) = R16 ⊕ f (L16 , K1 )

Hence L01 = R15 and R10 = L15 . Proceeding inductively, we have that Li = R16−i 0
and Ri = L016−i . In
0 0 0
particular, L0 = R16 and R0 = L16 . The original plaintext is therefore given by (R16 , L016 ), where (L016 , R16
0
)
is the output from inputting (R16 , L16 ) to the encryption box.

Problem 8
In the CBC mode of encryption, suppose that there is a bit error in one block of ciphertext. If the error
occurs in the first block of ciphertext Y1 , which blocks of the plaintext will be decrypted incorrectly?

Solution:
Let Ŷ1 denote the ciphertext with the bit error. The first block of plaintext (x1 ) will be decrypted incorrectly,
while the remaining blocks will be decrypted correctly. This is because all subsequent blocks will be encrypted
and decrypted using the same block Ŷ1 . To see that, the corrupted ciphertext is used for ”xor” operation,
so as long as current blocks ”xor” the same ciphertext, the result does not depend on the ciphertext content
itself, since x ⊕ x = 0, and y ⊕ 0 = y. Since DK (Ŷ1 ) 6= x1 , however, the first block will be decrypted
incorrectly. so only the first block has an error.

Problem 9
In this exercise, we will see how a cryptosystem can fail if the encryption function is a linear function of the
plaintext. Consider a cryptosystem that encrypts a 128-bit plaintext x with a 128-bit key K to get a 128-bit
ciphertext Y . Let EK (x) denote the encryption function, and suppose that

EK (x1 ⊕ x2 ) = EK (x1 ) ⊕ EK (x2 )

for all keys K and plaintexts x1 and x2 . Consider an attacker mounting a chosen ciphertext attack, in which
the attacker chooses 128 ciphertexts Y1 , . . . , Y128 and receives the plaintexts x1 , . . . , x128 with Yi = EK (xi )
for i = 1, . . . , 128. Show how the attacker can choose Y1 , . . . , Y128 so that (s)he can decrypt any message Y
without knowledge of the secret key.

6
Solution: Suppose that the attacker chooses ciphertexts Y1 , . . . , Y128 , where Yi has i-th bit equal to 1 and
all other bits equal to 0, and obtains the plaintexts x1 = DK (Y1 ), . . . , x128 = DK (Y128 ). Given a ciphertext
Y , let {i1 , . . . , ik } denote the indices of Y that have bit 1. Hence Y = Yi1 ⊕ Yi2 ⊕ · · · ⊕ Yik . Letting x denote
the plaintext satisfying y = EK (x), we then have

EK (x) = Y = Yi1 ⊕ · · · ⊕ Yik

= EK (xi1 ) ⊕ · · · ⊕ EK (xik )
= EK (xi1 ⊕ · · · ⊕ xik ) (12)

where (12) follows from linearity of EK . Since EK (x) = EK (xi1 ⊕ · · · ⊕ xik ) and the encryption operation is
one-to-one, we must have x = xi1 ⊕ · · · ⊕ xik . Since xi1 , . . . , xik are known to the attacker, the plaintext x
can then be obtained. Note that a chosen plaintext attack using plaintexts x1 , . . . , x128 , where xi is the i-th
unit vector, will also enable the decryption of any message under this cryptosystem.