EE 595 (PMP) Introduction to Security and Privacy Homework 1 Solutions Assigned: Tuesday, January 17, 2017, Due: Sunday, January 28, 2017 Instructor: Tamara Bonaci Department of Electrical Engineering University of Washington, Seattle Problem 1 For each of the following pairs of integers (x, y), first determine whether x 1 mod y exists. Then find x 1 (mod y) if it exists. Show all work. (a) x = 5, y = 25 (b) x = 24, y = 35 (c) x = 17, y = 101 Solution: (a) x = 5, y = 25 There does not exist an inverse x 1 (mod y) for a pair x = 5, y = 25, since x = 5 y = 25 = 5 2, hence gcd(x = 5, y = 25) = 5 1 (b) x = 24, y = 35 There does exist an inverse x 1 (mod y) for a pair x = 24, y = 35, since gcd(x = 24, y = 35) = 1. Let s show that by factorizing x and y: x = 2 3 3 y = 5 7 (1) From (1), it follows that x and y do not have any common factors, hence gcd(x = 24, y = 35) = 1. Let s now use the Extended Euclidean Algorithm to find the inverse x 1 (mod y) for a pair x = 24, y = 35: 24 = 0(35) + 24 35 = 1(24) + 11 11 = 35 1(24) 24 = 2(11) + 2 2 = 24 2(11) 11 = 5(2) + 1 1 = 11 5(2) From (2), it follows that: 1 = 11 5(2) = 11 5[(24) 2(11)] = 11(11) 5(24) = 11[(35) (24)] 16(24) = 11(35) 16(24) (2) 24 1 = 16 (mod 35) = 19 (mod 35) x = 17, y = 101 There does exist an inverse x 1 (mod y) for a pair x = 17, y = 101, since both 17 and 101 are prime numbers. Using the Extended Euclidean Algorithm to find the inverse x 1 (mod y) for a pair x = 17, y = 101 we get that 17 1 mod (101) = 6. 1
Problem 2 If an encryption function e K is identical to the decryption function d K, then the key K is said to be an involutory key. Find all the involutory keys in the Shift cipher over Z 26. Solution: In order to find all involutory keys in Shift cipher over Z 26, let s first represent the 5-tuple that defines the cipher: P = C = K = Z 26 y = e K (x) = (x + K) mod 26 By definition, a cryptographic key K is involutory key, if: From equation (4), if follows that: x = d K (y) = (y K) mod 26 (3) x = e K (e K (x)) e K (x) = d K (y) (4) = e K [(x + K) mod 26] = [(x + K) mod 26 + K] mod 26 = (x + 2K) mod 26 (5) From equation (5), the condition for a key to be an involutory key in Shift cipher over Z 26 is given as: 2 K mod 26 = 0 (6) From equation(6), we conclude that there are two involutory keys in Shift cipher over Z 26 : K 1 = 0; K 2 = 13 Problem 3 Suppose K = (5, 21) is a key in an Affine cipher over Z 29. (a) Express the decryption function d K (y) in the form d K = a y + b, where a, b Z 29. (b) Prove that d K (e K (x)) = x for all x Z 29. Solution: An Affine cipher over Z 29 is defined by the following 5-tuple: P = C = Z 29 K = {(a, b) : a Z 29 and gcd(a, 29) = 1, b Z 29 } y = e K (x) = (ax + b) mod 29 x = d K (y) = a 1 (y b) mod 29 (7) 2
Solution: (a) In order to express the decryption rule (equation (7)) in the form: d K (y) = a y + b, where a, b Z 29 (8) let s first find the multiplicative inverse of a = 5 over Z 29 using Extended Euclidean Algorithm: 29 = 5(5) + 4 5 = 1(4) + 1 1 = 5 1(4) 1 = 5 1(29 5(5)) From equation (9), it follows that a 1 = 6. We can now write: 1 = 6(5) 29 (9) d K (x) = a 1 (y b) mod 29 = (a 1 y a 1 b) mod 29 = (6y 126) mod 29 (6y + 19) mod 29 (10) Therefore, decryption rule d K (y) can be expressed as d K (y) = (6y + 19) mod 29 (b)we next prove that d K (e K (x)) = x for all x Z 29. In order to prove that d K (e K (x)) = x, let s express d K (e K (x)) in the following way: Equation (11) completes the proof. d K (e K (x)) = d k [(5x + 21) mod 29] = 6[(5x + 21) mod 29] + 19 (mod 29) = 30x + 126 + 19 (mod 29) = 30x + 145 (mod 29) = 30x + 145 x (mod 29) (11) Problem 4 The following ciphertext was encrypted using an Affine cipher: edsgickxhuklzveqzvkxwkzukcvuh The first two letter of the plaintext are if. Please decrypt. The plaintext is: if you can read this thank a teacher Let s recall that the first two ciphertext letters, ed (4,3) correspond to plaintext if (8,5). We can apply that to the definition of affine decryption, d k (y) = a 1 (y b) mod 26, to get the following system of equations: 8 = a 1 (4 b) 5 = a 1 (3 b) 3
Multiplying both sides with a, we get: 8a = (4 b) mod 26 5a = (3 b) mod 26 3a = 1 mod 26 We observe that a 1 = 3, and substitute that back into 5 = a 1 (3 b), which allows us to solve for b = 10. Using the key (a, b) = (3, 10), we can use any software to increase the decryption speed. Below is an example of Matlab code. ciphertext str = 'edsgickxhuklzveqzvkxwkzukcvuh'; ciphertext = converttonumbers(ciphertext str); a inv = 3; b = 10; plaintext = mod(a inv*(ciphertext b),26); plaintext str = converttostring(plaintext); plaintext str function numarray = converttonumbers(s) a = uint8('a'); s = lower(s); for i=1:length(s) t = uint8(s(i)); if t < a numarray(i) = 1; else numarray(i) = double(t a); end end %numarray = uint8(s) a; numarray = double(numarray); function str = converttostring(x) a = uint8('a'); %x = x + a; str = char(uint8(x)+a); Problem 5 Alice is sending a message to Bob using the Vigenére cryptosystem. At some point, Alice gets bored, and starts sending plaintext that consists of a single letter (known only to her) repeated a few hundred times. Eve knows that the Vigenére cipher is being used, and that the plaintext consists of a single letter, repeated. Show how Eve can deduce the key. 4
Solution: Let s assume that Alice sends some number, and let s denote that number as x. Let s now assume that the key length is equal to m. Now we have the following case. plaintext: x x x x x x x x x x x x... ciphertext: c 1 c 2... c m c 1 c 1... Since Alice is constantly encrypting the same number x, eventually we will observe that the ciphertext is some periodic sequence. The period indicates the length m of the Vigenere cipher. Another feature we can observe is the fixed difference between c i and c i+1, where i = 1... m 1. Therefore, we can represent any c i in term of c 1. As the result, the size of key space is reduced to 26. For any new ciphertext, we can then try at most 26 times to encrypt the message. Problem 6 Evan, an attacker, is on a mission. He is given a (plaintext, ciphertext) pair (relation, ORIENTAL), and his task is to determine the complete cryptographic key (table), if the given pair is generated using: (a) Permutation cipher, (b) Substitution cipher. Please put your black hat on, and show Evan how to accomplish this mission, or show why it is impossible. In doing so, please assume that the set of possible plaintexts is equal to the set of possible ciphertexts, and that it is equal to Z 26. Solution: (a) The mission is possible if the given (plaintext, ciphertext) pair is obtained using the Permutation cipher. To see that, let s recall that with this cipher, the ciphertext is generated by altering the positions of the characters in the plaintext, i.e., rearranging the alphabets using a permutation. The given mission might be slightly harder, if we assume that Evan doesn t know the key length, where the key length determines the number of letters that are considered when determining the permutation. However, even if the key length is unknown, Evan can still proceed, by finding the key length via a trial-and-error method. In doing so, we can make Evan s job significantly simpler by observing that the length of the given plaintext needs to be divisible (without a remainder) with the key length. In Evan s case, the only meaningful key would be those of length 2, 4 and 8, and the actual key length is 8. The obtained permutation table is given below, in Table 1. (b) The mission at hands is impossible if the given (plaintext, ciphertext) pair is obtained using the Substitution cipher. To see that, let s recall that the main idea of the substitution cipher is to replace each letter of the plaintext alphabet with an alphabet at an arbitrary distance. It is important to note that we need to be able to replace every plaintext alphabet. Since our (plaintext, ciphertext) pair is rather short (only eight letters), we can only determine a part of the key (a part of the substitution table), but not the whole table. The partial table looks as follows: j 1 2 3 4 5 6 7 8 π(j) 2 4 8 7 6 3 1 5 Table 1: Permutation table obtained as a solution in Problem 4. x a e i l n o r t π(x) E R T I L A O N Table 2: Partial encryption table for Substitution cipher. 5
Problem 7 Consider the DES cryptosystem. Suppose that the key scheduling algorithm (the algorithm used to compute the round keys) is as follows. For a given key K, the algorithm first computes round keys K 1,..., K 8 for the first eight rounds. The algorithm then sets K 9 = K 8, K 10 = K 7,..., K 16 = K 1, so that K i = K 16 i+1 for all i = 1,..., 16. (Note that the DES key scheduling algorithm does not actually work this way.) Suppose that you are given a ciphertext Y. Show how to determine the plaintext x using a chosen plaintext attack. Recall that in a chosen plaintext attack, an attacker is given a ciphertext Y. The attacker is allowed to choose a plaintext x x and receives the ciphertext Y = E K (x ). The attacker then attempts to compute the plaintext x satisfying Y = E K (x). Solution: The approach is to choose the plaintext (L 0, R 0) equal to (R 16, L 16 ), i.e., to reverse the blocks of the ciphertext. Consider the first round of the encryption. By definition of the DES encryption, L 1 = R 0 and R 1 = f(k 1, R 0) L 0. Substituting the values of L 0 and R 0 gives L 1 = L 16 R 1 = f(k 1, L 16 ) R 16 On the other hand, consider the DES decryption of the original ciphertext (L 16, R 16 ). By definition, we have R 15 = L 16 L 15 = R 16 f(l 16, K 16 ) = R 16 f(l 16, K 1 ) Hence L 1 = R 15 and R 1 = L 15. Proceeding inductively, we have that L i = R 16 i and R i = L 16 i. In particular, L 0 = R 16 and R 0 = L 16. The original plaintext is therefore given by (R 16, L 16), where (L 16, R 16) is the output from inputting (R 16, L 16 ) to the encryption box. Problem 8 In the CBC mode of encryption, suppose that there is a bit error in one block of ciphertext. If the error occurs in the first block of ciphertext Y 1, which blocks of the plaintext will be decrypted incorrectly? Solution: Let Ŷ1 denote the ciphertext with the bit error. The first block of plaintext (x 1 ) will be decrypted incorrectly, while the remaining blocks will be decrypted correctly. This is because all subsequent blocks will be encrypted and decrypted using the same block Ŷ1. To see that, the corrupted ciphertext is used for xor operation, so as long as current blocks xor the same ciphertext, the result does not depend on the ciphertext content itself, since x x = 0, and y 0 = y. Since D K (Ŷ1) x 1, however, the first block will be decrypted incorrectly. so only the first block has an error. Problem 9 In this exercise, we will see how a cryptosystem can fail if the encryption function is a linear function of the plaintext. Consider a cryptosystem that encrypts a 128-bit plaintext x with a 128-bit key K to get a 128-bit ciphertext Y. Let E K (x) denote the encryption function, and suppose that E K (x 1 x 2 ) = E K (x 1 ) E K (x 2 ) for all keys K and plaintexts x 1 and x 2. Consider an attacker mounting a chosen ciphertext attack, in which the attacker chooses 128 ciphertexts Y 1,..., Y 128 and receives the plaintexts x 1,..., x 128 with Y i = E K (x i ) for i = 1,..., 128. Show how the attacker can choose Y 1,..., Y 128 so that (s)he can decrypt any message Y without knowledge of the secret key. 6
Solution: Suppose that the attacker chooses ciphertexts Y 1,..., Y 128, where Y i has i-th bit equal to 1 and all other bits equal to 0, and obtains the plaintexts x 1 = D K (Y 1 ),..., x 128 = D K (Y 128 ). Given a ciphertext Y, let {i 1,..., i k } denote the indices of Y that have bit 1. Hence Y = Y i1 Y i2 Y ik. Letting x denote the plaintext satisfying y = E K (x), we then have E K (x) = Y = Y i1 Y ik = E K (x i1 ) E K (x ik ) = E K (x i1 x ik ) (12) where (12) follows from linearity of E K. Since E K (x) = E K (x i1 x ik ) and the encryption operation is one-to-one, we must have x = x i1 x ik. Since x i1,..., x ik are known to the attacker, the plaintext x can then be obtained. Note that a chosen plaintext attack using plaintexts x 1,..., x 128, where x i is the i-th unit vector, will also enable the decryption of any message under this cryptosystem. 7