T-79.

5501 Cryptology
Homework 1
January 29, 2009

1. Kasiski’s method and the method of Index of Coincidence are efficient methods for break-
ing the Vigenère cipher. The purpose of this exercise is to prove that any such method can
be used to break the autokey cipher. Show how the ciphertext produced by an autokey
cipher can be transformed to a ciphertext produced by a Vigenère cipher. What about
the converse? For the definition of autokey cipher, see, e.g., textbook Cryptosystem 1.7.
2. Define a stream cipher as follows:

P = C = ZZ7 , K = {(a, b) | gcd(a, 7) = 1}

plaintext = x 1 , x2 , x3 , . . .
zi = (a × i + b) mod 7, i = 1, 2, . . . , where (a, b) is the key.
ezi (xi ) = (xi + zi ) mod 7
ciphertext = y 1 , y2 , y3 , . . .
dzi (yi ) = (yi − zi ) mod 7

a) Using (5,3) as the key, compute the decryption of the message 25542531.
b) If you know that some part of the plaintext is 110503, and this encrypts to give the
ciphertext 501153, then derive as much as you can about the unknown key (a, b).
What additional information you need to derive the entire key?
3. The plaintext and ciphertext alphabet consists of the 26 letters A-Z and the space between
words. Each plaintext letter x is encrypted separately using a randomised substitution
as follows. The key K = (k0 , k1 , . . . , k9 ) is a permutation of the ten digits {0, 1, . . . , 9}.
The encryption process has the following steps.
(a) Pick a character y from the plaintext alphabet at random. Interpret the pair (y, x)
as the representation of an integer I to the base 27, that is, I = 27 · y + x. Let
a2 , a1 , a0 be the digits of I in the decimal system, where a2 is the most significant
digit.
(b) Use the key K to substitute ai by kai , i = 0, 1, 2.
(c) The ciphertext (c2 , c1 , c0 ) is obtained as the 27-base representation of the integer
100 · ka2 + 10 · ka1 + ka0 .
An attacker is observing plaintext-ciphertext pairs produced by this encryption system
with the same fixed key. An encryption of the character ‘space’ is ‘ABX’ and an encryption
for character ‘B’ is ‘ACB’. Based on this information, derive a and b such that ka = 0
and kb = 5.
4. Let us consider a cryptosystem where P = {a, b, c} and C = {1, 2, 3, 4}, K = {K1 , K2 , K3 },
and the encryption mappings eK are defined as follows:

K eK (a) eK (b) eK (c)

K1 1 2 3
K2 2 3 4
K3 3 4 1
 Given that keys are chosen equiprobably, and the plaintext probability distribution is
Pr[a] = 1/2, Pr[b] = 1/3, Pr[c] = 1/6, compute the following probabilities

a) Pr[y = i], i = 1, 2, 3, 4.
b) Pr[x = j, y = i], j = a, b, c, and i = 1, 2, 3, 4..

5. Does the cryptosystem of the preceding problem achieve perfect secrecy?

6. Plaintext is composed of independently generated bits that are arranged in blocks of

four bits. The probability that a plaintext bit equals 0 is p. Each block x1 , x2 , x3 , x4 is
encrypted using one key bit z by adding it modulo 2 to each plaintext bit. Hence the
ciphertext block is y1 , y2 , y3 , y4 where yi = xi ⊕ z, i = 1, 2, 3, 4. It is assumed that every
key bit is generated uniformly at random. Let us assume that a ciphertext block has k
zeroes and 4 − k ones, k = 0, 1, 2, 3, 4.

a) Compute the probability (as a function of k) that the encryption key was z = 0.
b) What value of k maximizes this probability?
c) For which value of k the probability that z = 0 is equal to 21 , that is, the ciphertext
does not give any information at all about the used key bit?