- Consider the following encryption scheme for
*n*-letter messages. The secret key corresponds to a permutation on*n*locations. Given a message , one computes its encryption byFor example, suppose that . That is , and . Then the encryption would be ``nDa''.

**A.**- How does the security of this scheme vary according to the message size?
**B.**- What information is leaked by a single encryption using this scheme? That is, given , what
can we determine about
*M*.Now let's try to break this scheme completely given multiple encryptions for a fixed key . We assume that we don't know

*a priori*but that they are in english. **C.**- For a given
*i*and*j*, how might we determine whether , given enough messages? That is, can we determine if letters*i*and*j*of the ciphertext correspond to consecutive letters of the plaintext. **D.**- Using the answer to Part 3, show how to reconstruct .
**E.**- Suppose that were not english but instead were just random strings. Could we find given the ciphertext only?

- Data compression is often used in data storage or transmission. Suppose you want to use
data compression in conjunction with encryption. Does it make more sense to
**A.**- Compress the data and then encrypt the result, or
**B.**- Encrypt the data and then compress the result.

Justify your answer. Try to give at least two reasons.

- Before DESX was invented, the researchers at RSA Labs came up with DESV and DESW,
defined by
As with DESX, |

*k*|=56 and . Show that both these proposals do not increase the work needed to break the cryptosystem using brute-force key search. That is, show how to break these schemes using on the order of DES encryptions/decryptions. You may assume that you have a moderate number of plaintext-ciphertext pairs, . - Given a cryptosystem , define the randomized cryptosystem by
where

*R*is a random bit string of the same size as the message. That is, the output of is the encryption of a random one-time pad along with the original message XORed with the random pad. A new independent random pad*R*is chosen for every encryption.We consider two attack models. The goal of both models is to reconstruct the actual secret key

*k*.- In the key-reconstruction chosen plaintext attack (
*KR-CPA*), the adversary is allowed to generate strings and for each learn a corresponding ciphertext. - In the key-reconstruction random plaintext attack (
*KR-RPA*), the adversary receives random plaintext/ciphertext pairs.

Note that for the case of the opponent has no control over the random pad

*R*used in the creation of the given plaintext/ciphertext pairs.Prove that if is secure against

*KR-RPA*attacks then is secure against attacks.[Hint: It is easiest to show the contrapositive. Given an algorithm

*A*that executes a successful attack against , exhibit an algorithm*B*(using*A*as a ``subroutine'') that executes a successful attack against .] - In the key-reconstruction chosen plaintext attack (