1. Consider the following encryption scheme for n-letter messages. The secret key tex2html_wrap_inline77 corresponds to a permutation on n locations. Given a message tex2html_wrap_inline81 , one computes its encryption tex2html_wrap_inline83 by


    For example, suppose that tex2html_wrap_inline85 . That is tex2html_wrap_inline87 , tex2html_wrap_inline89 and tex2html_wrap_inline91 . Then the encryption tex2html_wrap_inline93 would be ``nDa''.

    How does the security of this scheme vary according to the message size?
    What information is leaked by a single encryption using this scheme? That is, given tex2html_wrap_inline83 , what can we determine about M.

    Now let's try to break this scheme completely given multiple encryptions tex2html_wrap_inline99 for a fixed key tex2html_wrap_inline77 . We assume that we don't know tex2html_wrap_inline103 a priori but that they are in english.

    For a given i and j, how might we determine whether tex2html_wrap_inline109 , given enough messages? That is, can we determine if letters i and j of the ciphertext correspond to consecutive letters of the plaintext.
    Using the answer to Part 3, show how to reconstruct tex2html_wrap_inline77 .
    Suppose that tex2html_wrap_inline103 were not english but instead were just random strings. Could we find tex2html_wrap_inline77 given the ciphertext only?
  2. Data compression is often used in data storage or transmission. Suppose you want to use data compression in conjunction with encryption. Does it make more sense to
    Compress the data and then encrypt the result, or
    Encrypt the data and then compress the result.

    Justify your answer. Try to give at least two reasons.

  3. Before DESX was invented, the researchers at RSA Labs came up with DESV and DESW, defined by


    As with DESX, |k|=56 and tex2html_wrap_inline123 . Show that both these proposals do not increase the work needed to break the cryptosystem using brute-force key search. That is, show how to break these schemes using on the order of tex2html_wrap_inline125 DES encryptions/decryptions. You may assume that you have a moderate number of plaintext-ciphertext pairs, tex2html_wrap_inline127 .

  4. Given a cryptosystem tex2html_wrap_inline129 , define the randomized cryptosystem tex2html_wrap_inline131 by


    where R is a random bit string of the same size as the message. That is, the output of tex2html_wrap_inline135 is the encryption of a random one-time pad along with the original message XORed with the random pad. A new independent random pad R is chosen for every encryption.

    We consider two attack models. The goal of both models is to reconstruct the actual secret key k.gif

    Note that for the case of tex2html_wrap_inline131 the opponent has no control over the random pad R used in the creation of the given plaintext/ciphertext pairs.

    Prove that if tex2html_wrap_inline129 is secure against KR-RPA attacks then tex2html_wrap_inline131 is secure against tex2html_wrap_inline155 attacks.

    [Hint: It is easiest to show the contrapositive. Given an algorithm A that executes a successful tex2html_wrap_inline155 attack against tex2html_wrap_inline131 , exhibit an algorithm B (using A as a ``subroutine'') that executes a successful tex2html_wrap_inline167 attack against tex2html_wrap_inline129 .]