Birla Institute of Technology & Science – Pilani

Hyderabad Campus
nd
2 Semester 2022-2023
Cryptography (BITS F463) – Comprehensive Examination (Regular) – KEY
Q1. (a) 3 x 3 Hill cipher encryption scheme with the key phrase “ciphering” and the plaintext message
“safe messages”. We need to find the last two sets of trigrams in the ciphertext.
The last two trigrams in the plaintext represented as column vectors are

s 18
s 18
a 0

and
g 6
e 4
s 18

The key is given as “ciphering”. 2 8 15

7 4 17
8 13 6

C = KPmod 26
Multiplying, we get the corresponding two trigraphs in the ciphertext as

Y and C
Q A
O A

(b) Given standard Playfair cipher to decrypt the ciphertext “OMRMPCSGPTER”; the Playfair key matrix
was constructed using the keyword “COMPUTER.
The 5 x 5 Playfair matrix can be constructed as
C O M P U
T E R A B
D F G H I/J
K L N Q S
V W X Y Z

The ciphertext is given as OMRMPCSGPTER. Now applying the standard Playfair decryption rules, we
get COMXMUNICATE => Thus the plaintext is Communicate.
(c) (i) encrypting the message “buy your books in August” using a rail fence cipher with encryption key 3.
Since there are 20 letters in the plaintext, the number of columns in the rail fence will be 20 and since the
key is 3, the number of rows will be 3.
b o o i g
u y u b o s n u u t
y r k a s
The ciphertext is: BOOIGUYUBOSNUUTYRKAS

(ii) The ciphertext generated out of a simple columnar transposition (9 columns) is:
NTSES NDTIO HMRIO CIDTE OONRO OIHWR UCANU TIOES ENSSY NRDTR CCSGL AHEEI
TIDNA IAEUN IGNGN NP

We need to construct a matrix with 9 columns and write the ciphertext down as columns. Since there are
77 letters and 9 columns, the number of full rows will be 77/9 = 8 and the number of partial rows will be 1
with 5 letters (77 mod 9).

N O T H I N G I N
T H E W O R L D I
S M O R E D A N G
E R O U S T H A N
S I N C E R E I G
N O R A N C E A N
D C O N S C I E N
T I O U S S T U P
I D I T Y

So, the plaintext is “Nothing in the world is more dangerous than sincere ignorance and conscientious
stupidity”

(iii) Given the ciphertext GPSDOAILTIVRVAAWETECNITHMEDLHETALEAONME for a columnar

transposition with the key k = 7, we need to find the number of full rows and the number of partial rows in
the columnar transposition matrix. The number of letters in the ciphertext = 39 and the number of columns
is 7.
Number of full rows = 39/7 = 5
Number of partial rows = 1 ( with 39 mod 7 = 4 letters)
Q2. (a)

(i) By Fermat’s Little theorem, 5100 ≡ 1 (mod 101);

That means, 599 x 51 ≡ 5 x 599 ≡ 1 (mod 101);
By definition, this means that the inverse of 5 modulo 101 is 599
(ii) Square and Multiply method to simplify 599 (mod 101).
52 = 25
54 ≡ 19
5 8
≡ 58
516 ≡ 31
532 ≡ 52
5 64
≡ 78
So, 599 (mod 101) = 78 x 52 x 25 x 5 = 81 mod 101 = 81
(iii) Solving the equation 5x ≡ 31 (mod 101) using cues from part (i) and (ii).
x ≡ 5-1 . 31 (mod 101) = 81 . 31 ≡ 87 (mod 101)

(b) (i) Given the system of equivalences: x ≡ 2 (mod 5); x ≡ 5 (mod 8); x ≡ 4 (mod 37),
m1 = 5; m2 = 8 and m3 = 37
M1 = 8 . 37 = 296 M2 = 5 . 37 = 185 M3 = 5 . 8 = 40
M1 ≡ 1 (mod 5) M2 ≡ 1 (mod 8) M3 ≡ 3 (mod 37)
We can as well write this as 1.1 ≡ 1 (mod 5); 1.1 ≡ 1 (mod 8); 3.25 ≡ 1 (mod 37)
So, x ≡ 2.296.1 + 5.185.1 + 4.40.25 ≡ 1077 mod (5.8.37) ≡ 1077 mod 1480
Thus, the two smallest positive integers in this congruence class are 1077 and 2557.
(ii) ø(27) = ø( 3 x 32) = 2 . 9 = 18
The list of elements in the residue set is as follows:
{1; 2; 4; 5; 7; 8; 10; 11; 13; 14; 16; 17; 19; 20; 22; 23; 25; 26}.
(c) The public key (e, n) is (1565, 3551) and one of the prime numbers p is 67. As we can see, 67 is a
factor of n = 3551. So the other prime number q = 53. Thus ø(n) = 66 x 52 = 3432.
e.d = 1 mod ø(n).
Using extended Euclidian algorithm,

So, the private key component is 125.

Q3. (a) Diffe-Hellman secure key exchange scheme: choose public numbers (q, a prime number as 11 and
a, the generator as 2). Let xA = 4 and xB = 6 be the corresponding private keys.
yA = axA mod q = 24 mod 11 = 5
yB = axB mod q = 26 mod 11 = 9
Session key K computed from A’s perspective: => Eqn 1
yBxA mod q = 95 mod 11 = 5.

Session key K computed from B’s perspective: => Eqn 2

yAxB mod q = 56 mod 11 = 5.
Since Eqn 1 and Eqn 2 are computing the same K value, the correctness of the implementation is
proved.

(b) Bob encrypts the message 13 using the ElGamal crypto system with prime number p = 17, generator g
= 6, a random number k = 10 and sends the encrypted message as (C 1, C2) to Alice whose private key xA
= 5.
yA = gxA mod p = 65 mod 17 = 7
Bob now computes the one-time key K = yAk mod p = 710 mod 17 = 2
Bob now encrypts the message M = 13 as a pair of integers (C1,C2) where C1 = gk mod p ; C2 = KM mod p
C1 = gk mod p = 610 mod 17 = 15
C2 = KM mod p = 710 mod 17 x 13 mod 17 = (710 x 13) mod 17 = 9
Thus, (C1, C2) = (15, 9)
Alice then recovers the message as:
recovering key K as K = C1xA mod p = 155 mod 17 = 2
computing M as M = C2 K-1 mod p = 9 x 2-1 mod 17 = (9 x 9) mod 17 = 13
So it is proven that Alice could indeed retrieve the message 13

(c) For RSA, given two prime numbers p = 7 and q= 19. Let the encryption component e = 29. The plaintext
is given as 99
RSA Key Setup
n = 7 x 19 = 133
ø(n) = (p-1) (q-1) = 6 x 18 = 108
e.d = 1 mod ø(n) = 29 . d = 1 mod 108
So, d = 41
PU = {29, 133}; PR = {41, 133}
Encryption process
C = Me mod n = 9929 mod 133 = 92
Decryption process
M = Cd mod n = 9241 mod 133 = 99
Q4. (a) Given,
Encryption Plaintext and ciphertext key
E1 Plaintext: 0000000000000000 22234512987ABB23
Ciphertext: 4789FD476E82A5F1
E2 Plaintext: 0000000000000001 22234512987ABB23
Ciphertext: 0A4ED5C15A63FEA3
16th round ciphertexts mean the last stage ciphertexts since we are using DES.
It is given that 1 bit change in the plaintexts causes 29 bits in the ciphertexts to change. Also, with DES,
the ciphertext block size is 64.
Therefore, the extent of avalanche effect in this case is [29/64] x 100 = 45.31 %
(b) (i) The plaintext is given as 0123456789abcdeffedcba9876543210 and the round key as
0f1571c947d9e8590cb7add6af7f6798 for AES.
Representing the plaintext as a 4 x 4 matrix,
01 89 fe 76
23 ab dc 54
45 cd ba 32
67 ef 98 10

Similarly representing the key as a matrix,

0f 47 0c af
15 d9 b7 7f
71 e8 ad 67
c9 59 d6 98

Now adding (xor-ing) the above two matrices, we get the sum as
0e ce f2 d9
36 72 6b 2b
34 25 17 55
ae b6 4e 88

(ii) w0 = (0f 15 71 c9); w1 = (47 d9 e8 59); w2 = (0c b7 ad d6); w3 = (af 7f 67 98)

(c) (i) The equivalent 2D table version of the given S-box is as follows.
00 01 10 11
00 7 9 1 0
01 2 4 11 6
10 15 10 14 13
11 8 3 12 15
(ii) if the input to the substitution is 9 (1001), 01 will be the column bits and 10 will be the row bits; the
output from this S-box = 10 (1010)
(iii) If the input bits are 0100, 00 will be the column bits and 01, the row bits; the output (in integer form)
from this S-box = 2
Q5. (a)
The group law is point addition; to add two points P and Q, we need to draw the line PQ through them
find the third point of intersection -R of that line, and reflect it over the axis of symmetry of the curve.
The resulting point, R, will be the sum of P and Q. For the purposes of this addition, that the point at
infinity O lies on any line through a point and it is opposite. Also, we need to use the tangent line at P
to add it to itself).

(b) Given the elliptic curve group defined by the equation, y2 = x3 + 9x + 17 over F23. The discrete logarithm
k of Q = (4,5) to the base P = (16,5) can be found by the naive method.
We need to compute the multiples of P until Q is found.
Here the first few multiples of P are given as P = (16,5) 2P = (20,20) 3P = (14,14) 4P = (19,20) 5P = (13,10)
6P = (7,3) 7P = (8,7) 8P = (12,17) 9P = (4,5).
We can observe from the multiples that 9P = (4, 5) = Q
That is, Q = 9P = kP
So, the discrete log value k is = 9.

(c) Given an ECC scenario where P + 6P = Q. The logarithm of Q to the base P can be found as follows.
P + 6P = Q
7P = Q or Q = 7P
From ECDLP, we know that Q = kP
Therefore, the logarithm of Q to the base P is k = 7
Q6.
Given the shared global public values (p, q, g) as (173, 43, 16); the private key x = 7. The hash of the
message H(M) = 30, the random signature key k = 9
Key generation module:
Given the private key x = 7
So, the public key is y = gx mod p = 167 mod 173 = 6
Signature generation module:
r = (gk mod p) mod q = (169 mod 173) mod 43 = 152 mod 43 = 23

s = [k-1(H(M)+ xr)] mod q => [9-1 * 30 + 7 * 23] mod 43

=> 9s ≡ 30 + 7 * 23 => ≡ 19 mod 43

9-1 mod 43 = 24

So, s ≡ 19 . 24 mod 43 ≡ 26 mod 43 = 26.

Thus the signature is (r, s) = (23, 26).

Q7.
i=j=0
for each message byte Mi
i = ( i + 1 ) (mod 256)
j = ( j + S[i] ) (mod 256)
swap(S[i], S[j])
t = (S[i] + S[j]) (mod 256)
Ci = Mi XOR S[t]
Q8.

Desirable property of the hash function Name of the

property
For a given h in the output space of the hash function, it is hard to find Pre-image
any message x with H(x) = h resistance
For a given message x1, it is hard to find a second message x2 ≠ x1 Second pre-image
with H(x1) = H(x2) resistance
It is hard to find a pair of messages x1 ≠ x2 with H(x1) = H(x2) Collision resistance
For a given h in the output space of the hash function, it is hard to find One-way function
any message x with H(x) = h
Q9.

Challenging scenario Block cipher mode not to be

used
If a message has two identical blocks, the ciphertext will be ECB
two identical blocks
IV repetition completely compromises security OFB
A single-bit transmission error in ciphertext block Ci results CBC
in whole plaintext block Pi and the same bit in plaintext block
Pi+1 being corrupted
The IV must be generated in a strongly pseudo-random CFB
fashion
Q10.

1. A->KDC: IDA || IDB || N1

2. KDC -> A: E(Ka,[Ks||IDB||N1|| E(Kb, [Ks||IDA])])

3. A -> B: E(Kb, [Ks||IDA])

4. B -> A: E(Ks, [N2])

5. A -> B: E(Ks, [f(N2)])