Birla Institute of Technology & Science – Pilani

Hyderabad Campus
nd
2 Semester 2021-2022
Cryptography (BITS F463) – Comprehensive Examination (Regular) - key

Q1. (a) Given the keyword as keyword

The message to be encrypted is “COME TO THE WINDOW”. The letter Q is to be used as a filler to help
with digram formation. From the given keyword, we can construct the Playfair matrix as follows.

Now enciphering the plaintext, first we need to split the plaintext as digrams.
CO ME TO TH EW IN DO WQ
Now applying the Playfair cipher rules we get the ciphertext as:
LC NK ZK VF YO GQ CE BX

(b) Given the message to be encrypted as “Attack is tonight”. The key matrix is given as follows:

Since, the key matrix is a 3 x 3 matrix, the letters will be encrypted in groups of 3. Accordingly, the plaintext
can be written as ATT ACK IST ONI GHT
The corresponding plaintext matrix is
A T T = 0 19 19
A C K 0 2 10
I S T 8 18 19
O N I 14 13 8
G H T 6 7 19
Now, ciphertext = [plaintext x key] mod 26

When simplified, we get C11, C12 and C13 as:

Thus the ciphertext equivalent of the plaintext letters ATT will be FNW
Q2. (a) (i)
Let the outcome of PC-1 be K+ = 1111000 0110011 0010101 0101111 0101010 1011001 1001111
0001111. Given the number of left shifts for round 1 as 1
To find C1D1:
From the permuted key K+, we can get C0D0 as follows.
C0 = 1111000 0110011 0010101 0101111
D0 = 0101010 1011001 1001111 0001111
Since it is round 1, the number of shifts is 1. Hence we can get C 1D1 by left circular shift by 1 position of
C0D0. So,
C0 = 1111000011001100101010101111
D0 = 0101010101100110011110001111
C1 = 1110000110011001010101011111
D1 = 1010101011001100111100011110
Thus, C1D1 = 1110000110011001010101011111 1010101011001100111100011110
(ii) To L1R1 from the information given below.
L0 = 1100 1100 0000 0000 1100 1100 1111 1111
R0 = 1111 0000 1010 1010 1111 0000 1010 1010
K1 = 000110 110000 001011 101111 111111 000111 000001 110010
L1 = R0 = 1111 0000 1010 1010 1111 0000 1010 1010
R1 = L0 + f(R0,K1)
Outcome of round function for round 1 is 0010 0011 0100 1010 1010 1001 1011 1011
This means that f = f = 0010 0011 0100 1010 1010 1001 1011 1011
Thus
R1 = L0 + f(R0 , K1 )
= 1100 1100 0000 0000 1100 1100 1111 1111
+ 0010 0011 0100 1010 1010 1001 1011 1011
= 1110 1111 0100 1010 0110 0101 0100 0100
Thus, L1 R1 = 1111 0000 1010 1010 1111 0000 1010 1010 1110 1111 0100 1010 0110 0101 0100 0100

(b) (i) Given the output from the shift rows operation,
D4 E0 B8 1E
BF B4 41 27
5D 52 11 98
30 AE F1 E5
the input to the shift rows operation can be found as:

D4 E0 B8 1E
27 BF B4 41
11 98 5D 52
AE 11 E5 30

(ii) Let w0 = { 0f 15 71 c9 }, w1 = { 47 d9 e8 59 }, w2 = { 0c b7 ad 00}, w3 = { af 7f 67 98 } and

auxiliary function z1 = { d3 85 46 79 }.
w4 = w0 ⊕ z1 = dc 90 37 b0
w5 = w4 ⊕ w1 = 9b 49 df e9
w6 = w5 ⊕ w2 = 97 fe 72 e9
w7 = w6 ⊕ w3 = 38 81 15 a7
Q3. (a)
Two global prime values are chosen as p = 3 and q = 11
Compute n = p * q = 3 * 11 = 33 ; Compute φ(n) = (p - 1) * (q - 1) = 2 * 10 = 20
Choose e such that 1 < e < φ(n) and e and φ (n) are coprime. Let e be 7
Compute a value for d such that (d * e) % φ(n) = 1. One solution is d = 3
The public key is (e, n) => (7, 33). The private key is (d, n) => (3, 33). The encryption of m is done
as c = 27 % 33 = 29
The decryption yields the plain text as m = 293 % 33 = 2

(b) Given ElGamal cryptosystem; the plaintext message be m = 138.

Let the ElGamal encryption key be (257, 3, 112).
An attacker wants to find a secret integer a such that 3a ≡ 112 (mod 257).

We need to prove that the ElGamal cryptosystem is secure enough for sufficiently large prime modulus:

Finding a is a discrete logarithm problem. There is no known method for solving a discrete log problem
with a large prime modulus that is sufficiently efficient to be practical for application to cryptanalysis.

Hence the ElGamal cryptosystem is thought to be secure for sufficiently large prime modulus. Here, the
modulus is 257 and hence an attacker can use trial and error method to solve the congruence 3a ≡ 112 (mod
257) and arrive at a value a = 21. Once the attacker knows a, he can find the plaintext message. However,
for large prime modulus solving for a is a hard problem.
Q4. (a)

Purpose of the hash function Name of the

property
protects against an attacker who only has a hash value and is trying to find the input Pre-image
resistance
protects against an attacker who has an input value and its hash and wants to Second-
substitute the original input value preimage
resistance
makes it very difficult for an attacker to find two input values with the same hash Collision
resistance

(b) (p,q,g) are globally available. The condition (gk mod p)mod q ≠ 0 is checked; given private key is x and
the public key is gx mod p.
To show how the hash code h; 0 < h < q; can be recovered from the signature (r; s) using public information
only, including the public key:-
The hash code h can be recovered from the signature (r; s) given the public key (gx mod p) by calculating
h = r(gk (mod p)) -1 (mod q)
= r(gs+xr (mod p))-1 (mod q)
= r(gs(gx)r (mod p)) -1 (mod q)

(c) Given n to be a large integer. Let H(m) = m(mod n) be an integer between 0 and n-1.

To prove that the hash function H is not strongly collision-free.

Let us say, we choose two values m1 and m2 that are congruent mod n. Then H(m1) = H(m2). This means
that there are two distinct messages m1 and m2 for which the hash values are the same. Hence H is not
strongly collision-free.
Q5. (a)
Block cipher mode Mathematical expression Major applications
Electronic Code Book Ci = DESK1(Pi) Secure transmission of single values
Cipher Block Chaining Ci = DESK1(Pi XOR Ci-1) bulk data encryption, authentication
C-1 = IV
Cipher Feed Back Ci = Pi XOR DESK1(Ci-1) stream data encryption, authentication
C-1 = IV
Output Feed Back Ci = Pi XOR Oi stream encryption on noisy channels
Oi = DESK1(Oi-1)
O-1 = IV
Counter mode Ci = Pi XOR Oi high-speed network encryptions
Oi = DESK1(i)

(b)
(i) solutions for ax ≡ b (mod m)
The solutions for the above congruence depends on the greatest common divisor of a and m.
Let g = gcd(a, m). If b is not divisible by g, there are no solutions. If b is divisible by g, there
are g solutions.
(ii)
 If a and m are relatively prime, g = gcd(a, m) = 1. Put the congruence ax ≡ b (mod m) in a standard
form; assume a > 0. If not, replace ax ≡ b (mod m) with –ax ≡ –b (mod m); assume a < m. If not,
subtract multiples of m from a until a < m; now solve my ≡ –b (mod a).
 if the numbers a and m are not relatively prime, first solve the congruence (a/g)y ≡ (b/g) (mod
(m/g)) using the above procedure; the solutions to ax ≡ b (mod m) are x = y + tm/g where t = 0, 1,
2, …, g-1.

(iii) a = 7, b = 13 and m = 100,

7x ≡ 13 (mod 100)
Since 7 and 100 are relatively prime, there is a unique solution;
we should solve 100y ≡ -13(mod 7); since 100 ≡ 2 (mod 7) and -13 ≡ 1 (mod 7),
it is like solving 2y ≡ 1 (mod 7),
Find y as = 4. Then x = (100*4 + 13)/7 = 59;
verify that 7*59 = 413 so 7*59 ≡ 13 (mod 100)
Q6. (a) Let n = 221. We can write n−1 as = 22·55, so that we have k= 2 and q= 55. Randomly select a
number a such that 1 < a < n - 1,
(i)
here you are asked to take a = 174.
17455 mod 221 = 47 ≠ 1, n − 1
174110 mod 221 = 220 = n − 1.
Since 220 ≡ −1 mod n, either 221 is prime, or 174 is a strong liar for 221.
(ii)
Now let a = 137:
13755 mod 221 = 188 ≠ 1, n − 1
137110 mod 221 = 205 ≠ n − 1.
Hence 137 is a witness for the compositeness of 221, and 174 was in fact a strong liar.

(b)
If m1, m2, .., mk are pairwise relatively prime positive integers, and if a1, a2, .., ak are any integers,
then the simultaneous congruences x ≡ a1 mod(m1), x ≡ a2 mod(m2), ……..., x ≡ ak mod(mk),
have a solution, and the solution is unique modulo m, where m = m1, m2, …. mk
Q7. (a) You are asked to apply rail fence cipher decryption (depth = 3) to retrieve the plaintext message
from the ciphertext DNETLEEDHESWLXFTAAX.
Since there are 19 letters in the ciphertext and since the depth is given as 3, first, we need to construct the
rail fence with 3 rows and 19 columns. Then we need to fill in the letters in a horizontal fashion. Next the
letters are read out in a diagonal fashion to retrieve the plaintext as follows.

Thus the corresponding plaintext is Defend the east wall xx

(b) Given that the ciphertext CSASXTITUKSWTGQU GWYQVRKWAQJB is generated by applying the
Vigenere cipher using a keyword ABCDEF.

The given ciphertext is => CSASXTITUKSWTGQUGWYQVRKWAQJB

The Vigenere cipher key is => ABCDEFABCDEFABCDEFABCDEFABCD
Thus the plaintext is => CRYPTO IS SHORT FOR CRYPTOGRAPHY

Thus the plaintext message is Crypto is short for cryptography