University of Virginia, Department of Computer ScienceCS588: Cryptology - Principles and Applications, Fall 2001 |

## CS588 Midterm Discussion

24 October 2001

Averages:Question 1: 15.2, 2: 18.2, 3: 20.5, 4: 17.9## 1. Mr. Jefferson's Imperfect Cipher

Recall the Jefferson Wheel Cipher from Lecture 1:

There are 36 wheels, each containing the 26 letters of the alphabet in scambled order. The wheels are placed on a spindle in an order determined by the key. A message is transmitted in 36-letter blocks by rotating the wheels to display the message horizontally, and then choosing a random row of the wheels as the ciphertext. For this question, we will assume that instead of choosing a random row, the sender chooses a row based on an offest that is part of the key known to both the sender and received.

a.(8) Argue convincingly that the Jefferson Wheel is a perfect cipher if only one letter of ciphertext is transmitted (assume the attacker knows the wheels, but not the order they are placed on the spindle or the choosen row offsets).

Answer:Getting one ciphertext letter doesn't give any help if determining the probabilities of the plaintext letter. For all possible plaintext letters and all possible wheel orders (any choice for the first wheel), there is some offset that produces the given ciphertext letter.Note that this is not true if offset 0 is not allowed (which would be reasonable for a real Jefferson Wheel Cipher, since otherwise a row would appear as plaintext). If the offset were not allowed to be 0, we would know given ciphertext letter

Xthe probability that the plaintext letter wasXis 0, hence the ciphertext letter effects the probabilities of the plaintext letter.I was disappointed in how many students attempted to show this using the Perfect Cipher Keyspace Theorem (Lecture 2): If a cipher is perfect, there must be at least as many keys (

l) are there are possible messages (n). The implication is in the other direction! Youcannotprove a cipher is perfect by showing there are as many keys are possible messages. Youcanprove a cipher isnotperfect by showing there arenotas many keys as there are possible messages. (See Lecture 2, Slide 29 for an example.)b.(10) Is the Jefferson Wheel a perfect cipher if two letters of ciphertext are transmitted? (Use convincing and clear arguments to support your answer. A well-supported wrong answer is better than a poorly argued correct one. As in part a, assume the attacker knows the wheels, but not the order they are placed on the spindle or the choosen row offsets.)

Answer:No.Consider a pathological example: all wheels are

ABCDEFGHIJKLMNOPQRSTUVWXYZ, the ciphertext isAM. The first letter of the plaintext could be anything, because we don't know the offset. Suppose it isT. This determines the offset (7). The second letter of the plaintextmustbeF.For a more realistic choice of wheels, this is harder to see (and the effect on the probabilities is less clear), but knowing the wheels still means so possible two-letter plaintexts are more likely than others for a given ciphertext. We could determine the probabilities by guessing all possible wheels for the first wheel, guessing all possible plaintext letters for the first letter, determining the offset that would produce the known first ciphertext letter, and then determining what the corresponding plaintext letter would be for the second letter for each of the other 35 wheels (as the possible second wheel).

If you're still not convinced this reveals something useful to the attacker, here's what happens when we try it for the wheels and ciphertext given in the Jefferson Wheel Challenge problem. An excerpt from the program I used to do this is below (you can find the entire Scheme program at

http://www.cs.virginia.edu/cs588/challenges/digrams.scm):;;; ;;; For given wheels and ciphertext, this function produces a list of the possible ;;; second plaintext letters given each possible guess for the first plaintext letter ;;; and first and second wheels. ;;; ;;; The result is of the form: ;;; ;;; ((#\A ;;; (0 . "*ZVKERMXVOKHOPQVOTMELHGHGADJNIICRPPG") ;;; (1 . "O*CLBIQMLQBSCOIIINYBGJYXAICGELAGOBCI") ;;; (2 . "KP*GLLZPIROMARWWQYNLJNTDOQGBOHGIGNRA") ;;; ... ;;; (35 . "UNXEMQBZPBRWTAUOZAPCYWWYBMTCIYSSPTY*")) ;;; (#\B ;;; (0 . "*JZZWKVHOPNLYVVARMIKHSROMGYMQTDOBKBL") ;;; ... ;;; ;;; This means if the first plaintext letter is "A", and the first ;;; wheel is wheel #0 ("FIQGHJKZEPLRMWYNOSXTAUVBCD"), if the second ;;; wheel is 1, then the second plaintext letter must be "Z". Note ;;; the first and second wheels cannot be the same, hence the "*" ;;; in the corresponding position. ;;; (define (find-possible-letters wheels ciphertext) (let ((first-ciphertext (string-ref ciphertext 0)) (second-ciphertext (string-ref ciphertext 1))) (map (lambda (plaintext-guess) (cons plaintext-guess (map (lambda (first-wheel-guess) (cons first-wheel-guess (list->string (map (lambda (second-wheel-guess) (if (eq? first-wheel-guess second-wheel-guess) ;;; Can't reuse the first wheel #\* (find-plaintext-letter (get-wheel wheels second-wheel-guess) second-ciphertext (find-offset (get-wheel wheels first-wheel-guess) plaintext-guess first-ciphertext)))) all-wheels)))) all-wheels))) ;;; Remove the first-ciphertext from the alphabet (no zero offsets) (remove-match alphabet first-ciphertext))))The sorted digram counts are:> (sort-tallys converted-tallys) (("MA" . 77) ("LU" . 71) ("LC" . 70) ("AR" . 70) ("OE" . 70) ("PC" . 69) ("OL" . 68) ... (all other possible digrams elided) ("YG" . 35) ("BX" . 35) ("OH" . 34) ("MO" . 33) ("SR" . 33) ("SO" . 32) ("PM" . 32) ("KH" . 31) ("QG" . 31) ("FC" . 31) ("RH" . 29) ("JF" . 0) ("YF" . 0) ("RF" . 0) ("NF" . 0) ("ZF" . 0) ("LF" . 0) ("OF" . 0) ("MF" . 0) ("FF" . 0) ("EF" . 0) ("PF" . 0) ...Note that all the digrams ending in

Fhave count 0, since we assume for the Jefferson Wheel Challenge (but not for the midterm question) that the offset cannot be 0 and the second ciphertext letter wasF. Of the other possible digrams,MAappears 77 times, whileRHappears only 29 times. This means, without taking into account anything about the likely plaintext language,MAis 2.65 times more likely to be the first two plaintext letters thanRHbased on what we know from the wheels and ciphertext alone! This is a convincing argument that the Jefferson Wheel is not a perfect cipher if the wheels are known, even if only 2 letters are transmitted. Nevertheless, it does not necessarily provide a practical break of the cipher (although inspection of the results does reveal some interesting properties of the wheels.) Before anyone gets mislead, the plaintext message doesnotbegin withMA.c.(7) If the attacker does not know anything about the wheels, how many letters can be transmitted using a Jefferson Wheel Cipher with perfect secrecy?This answer is wrong, but included here for historical accuracy. Skip down for the correct answer.

Answer:37 (no one got this, but full credit was awarded for good explanations of other answers)Recall that the secrecy is not perfect if an attacker could determine the probability of any message is different based on the ciphertext she has seen. Suppose (pathologically), the ciphertext is 36 A's.

This could correspond to any plaintext message. Suppose the plaintext message is 36 B's. This would be the case (for example) if the first wheel is

"FIQGHJKZEPLRMWYNOSXTAUVBCD"and the offset is 23. The second and later wheels would then be constrained to haveAandBin the same relative positions (but the other letters could be anywhere). Without knowing the wheels though, any plaintext message is equally likely - we can findexactlythe same number of offsets and wheels that would produce it as would produce this one.What happens if we see a 37th ciphertext letter (say another

A). The offset for the 37th letter is a new randomly choosen (as far as the attacker is concerned) offset. Hence, it could correspond to any plaintext letter. The attacker still does not have any useful information for an attack.One way to see this is to view the Jefferson Wheel like a Vigenere or One-Time Pad. If we don't know the wheels, each wheel corresponds to an unknown letter in a Vigenere key. If we transmit as many letters as the key length (and the key is random), we still have perfect secrecy. When we transmit the next letter, we have used the same key letter twice, and the ciphertext now provides an attacker with some useful information. In a Vigenere with 36-letter key, for example, if the 1st and 37th ciphertext letters match, we know that the 1st and 37th plaintext letters also match.

With the Jefferson Wheel, however, there is an offset to contend with also. Knowing the 1st and 37th ciphertext letters does not tell us anything about the 1st and 37th plaintext letters. In the trivial case, if they are the same it could mean the plaintext letters were the same and the offset was the same, or the plaintext letters were different and the offset was different (remember, in this case we don't know anything about the wheels to being with).

But, when we see the 38th ciphertext letter, we do know something useful. The offset is the same for the 37th and 38th letters, so if the 1st, 2nd, 37th and 38th ciphertext letters are identical, we know (findIndex returns the location a letter on a wheel):

C[1] = wheel1 [findIndex (wheel1, P[1]) + offset1] C[2] = wheel2 [findIndex (wheel2, P[2]) + offset1] C[37] = wheel1 [findIndex (wheel1, P[37]) + offset2] C[38] = wheel2 [findIndex (wheel2, P[38]) + offset2]To simplify, supposeC[1] = C[2] = C[37] = C[38] = C.C = wheel1 [findIndex (wheel1, P[1]) + offset1] = wheel2 [findIndex (wheel2, P[2]) + offset1] = wheel1 [findIndex (wheel1, P[37]) + offset2] = wheel2 [findIndex (wheel2, P[38]) + offset2] findIndex (wheel1, P[1]) + offset1 = findIndex (wheel1, P[37]) + offset2 findIndex (wheel2, P[2]) + offset1 = findIndex (wheel2, P[38]) + offset2Subtracting we have,

findIndex (wheel1, P[1]) - findIndex (wheel2, P[2]) = findIndex (wheel1, P[37]) - findIndex (wheel2, P[38])We still don't know the wheels, but the constraints on the wheels mean certain choices for

P[1],P[2],P[37]andP[38]will be more likely than others.

7 Nov: Here's the correct answer:That answer is wrong. Its only perfect for 1 letter even if you know the wheels. Matthew Mah noticed this problem:

I claim that the Jefferson Wheel Cipher is imperfect for two letters or more. To do this, we will use the following definition of perfect cipher from Lecture 2, slide 30: Given any plaintext, the probability that it matches any particular ciphertext is the same. Now we examine the case where we have a plaintext AB. Assume, for contradiction, that the Jefferson Wheel Cipher is perfect. AB can be mapped to any ciphertext using the Jefferson Wheel Cipher. Then AB can be mapped to ciphertext AC. A -> A => the offset for the round of 36 letters is 0. B -> C => the offset for the round of 36 letters is not 0. So the offset is both 0 and not 0, =><=. So the Jefferson Wheel Cipher cannot be perfect for two letters. Note that this proof does not require any knowledge of the letter arrangement on the wheels. It only assumes that each wheel has 26 distinct letters. To summarize, it is not possible to get every 2-letter ciphertext from a two letter plaintext, so the cipher cannot be perfect.

## 2. Number Theory and RSA

Lisa Euler, great-great-great-great grandchild of a well known Swiss mathematician, has just invented a remarkable quantum computing device that is able to compute the Euler's Totient function for any number of any size.

a.(8) Show how she can use the device to crack RSA encrypted documents if she knows the public key (exponenteand modulusn) that was used.

Alice and Cathy are really good friends. They decide that instead of each having to go through the work of finding large primes, they will write a program that finds two large primesAnswer:Since Lisa knowsn, her device can calculateφ(n). Sinceeis also known, she can find the multiplicative inverse ofemodφ(n). Using the extended Euclidean algorithm, she findsdsuch thated≡ 1 modφ(n). The decryption of an RSA encrypted document proceeds as normal, by raising the ciphertext to thedpower and reducing modn.pandq, but does not reveal them to anyone. Note that neither Alice nor Cathy knowporq.The program then picks

e_{A}for Alice, and findsd_{A}such thate_{A}d_{A}≡ 1 mod (p- 1)(q- 1) and revealsd_{A}to Alice only. Similarly, it then pickse_{C}for Cathy (different frome_{A}, and findsd_{C}such thate_{C}d_{C}≡ 1 mod (p- 1)(q- 1) and revealsd_{C}to Cathy only.Alice publishes (

e_{A},n) as her RSA public key. Cathy publishes (e_{C},n) as her RSA public key.

b.(5) Bob wants to send a messageMto Alice and Cathy, such that neither can read it independently, but they can both read it if they work together. What should Bob send? (Note: no more that one modular exponentiation should be required.)

Answer:The straightforward way Bob can do this is to encrypt a messageMfirst with Alice's public key, then with Cathy's public key resulting in (because of the limitations of HTML formatting we usee_Afor Alice's public exponent ande_Cfor Cathy's public exponent):(

M^{e_A}modn)^{e_C}modnSince Alice and Cathy use the same modulus

n, this can be simplified to:

M^{e_Ae_C}modnHence Bob can first calculate

e_AC=e_Ae_Cand findM^{e_AC}modnusing a single modular exponentiation.c.(5) Show that Alice and Cathy together can decrypt Bob's encrypted message to obtainM.

Answer:Bob sendsC=M^{e_A e_C}modnto Alice and Cathy. They each use their private keys to decrypt, giving:((

M^{e_A e_C}modn)^{d_A}modn)^{d_C}modn, and since the mod can be moved out,

=M^{e_A e_C d_A d_C}modn, rearranging,

=M^{e_Ad_A e_C d_C}modn, rearranging,

= (M^{e_Ad_A}modn)^{e_C d_C}modn, and sincee_A d_A≡ 1 modφ(n),

= (M^{k φ(n) + 1}modn)^{e_C d_C}modn, which is,

= (MM^{k φ(n)}modn)^{e_C d_C}modn, and by Euler's Theorem,

= (Mmodn)^{e_C d_C}modn, and removing the mod again,

=M^{e_C d_C}modn, and sincee_C d_C≡ 1 modφ(n),

=M^{k' φ(n) + 1}modn, which is,

=MM^{k' φ(n)}modn, and by Euler's Theorem,

=Mmodn, and sinceM<n,

=Md.[hard question] (7) After the poker incident, Alice and Cathy are no longer such good friends. Alice wants to determine Cathy's private keyd_{C}. Is it any easier for her to do this than it would be for Bob?

Answer:Alice and Bob both know the public information:e_A,e_C, andn. Neither knowd_C,p,q, orφ(n). Alice does know her own decryption keyd_A, and the relationshipe_A d_A≡ 1 modφ(n). She can therefore computee_A d_A- 1, which is equal tok φ(n), and try factoring this to findkandφ(n). This is not necessarily easier than factoringndirectly, thoughkis likely to be smaller than eitherporq. Products of the factors found can easily be checked for whether they produce a "working"φ(n). (This was sufficient to get full credit for this question.)It turns out that with a little work (complexity

O(length_of_n), Alice can find the factors of^{3})ndirectly using her owne_Aandd_A. This is called the Common modulus attack (see MBC pg. 169) and is due to Simmons.A related strategy, sometimes also called the common modulus attack, can recover the plaintext from messages sent identically to multiple parties who use the same modulus. In this case, the plaintext is recovered from nothing more than the public encryption exponents and the ciphertexts. It does not yield the factorization of the modulus.

## 3. Debt Collection

Cathy is having difficulty collecting the poker winnings from Alice and Bob. She decides to enlist the services of WHACKERS.com ("We have already collected kilobucks, everytime really secretly") to "persuade" Alice and Bob to pay their debts.Because WHACKERS is worried some unscrupulous individuals may use their services for nefarious purposes, they follow a strict policy of only offering their services to customers who present creditials to prove they are members of the Better Bettors Bureau.

Cathy visits her local BBB office, shows her photo ID and affirms her honesty, pays her dues, gives the BBB official a new public key KU

_{C}(for which only Cathy knows the corresponding private key KR_{C}) and receives this certificate from the BBB:ENote that the certificate doesn't reveal Cathy's identity, just that she is a member of the BBB (this relies on the BBB not keeping a record that maps Cathy's true identity to the certificate it generates for her)._{KRBBB}[ "The bearer of thie certificate is a member in good standing of the Better Bettors Bureau and the owner of the private key corresponding to " || KU_{C}]Cathy uses an anonymous routing protocol to send a message to WHACKERS and arrange a meeting with one of their representatives at the local Starbucks.

a.(7) Cathy presents her certificate to the WHACKERS representative. How would he check the certificate is valid?Answer:The WHACKERS representative should calculate E_{KRBBB}(certificate) and verify that the decrypted certificate matches "The bearer of this certificate is a member in good standing of the Better Bettors Bureau and the owner of the private key corresponding to " || KU_{C}(for some KU_{C}).b.(8) After a few unfortunate incidents, WHACKERS has become concerned that potential customers who are not BBB members are presenting stolen creditials. Nothing in the certificate validation distinguishes the legitimate creditial holder from someone else who copied the bits. Suggest an improvement to the credentials verification protocol (that can be done without any changes to the certificate itself).Answer:The best answers used a challenge-response protocol. The WHACKERS representative should:Only the real owner of the certificate should know KR

- Calculate a secret random number,
R- Give the potential customer E
_{KUC}(R)- Ask the customer to decrypt and give back
R._{C}to be able to calculateR.A common solution was to modify the certificate somehow, like by adding an extra encryption step. Unfortunately this doesn't solve the problem, since anyone can steal this NEW certificate and pretend to be a real customer. It doesn't matter that the crook doesn't know how to decrypt the certificate, just that the WHACKERS representative thinks it is real.

c.(10) After the visit from WHACKER's representative, Alice and Cathy agree to settle their differences by tossing a coin. If Cathy calls the coin toss correctly, Alice will pay double her debt; if not, Alice will pay nothing. They must do the coin toss over the telephone. Describe a protocol they can use to fairly determine the result (e.g., have exactly a 50% chance that Alice wins). Alice and Cathy both agreeHsatisfies the properties of a cryptographic hash function but neither trusts any public or symmetric key encryption system.Answer:Here's a solution based on a Bit Commitment protocol:Common errors involved using only one random string, instead of

- Cathy generates 2 random strings,
R1andR2, and her guess,b("heads" or "tails").- Cathy sends
H(R1||R2||b) andR1.- Alice picks "heads" or "tails" and sends that to Cathy.
- Cathy sends
R2andbto Alice.- Alice verifies
H(R1||R2||b) is the same as before.R1andR2. There are two possibilities in this case:By keeping part of the random string secret (

- Cathy keeps
Rsecret and sendsH(R||b) - Cathy can cheat by lying aboutRafter the fact. She can say thatRis whatever she wants and can change her value ofb.- Cathy sends
RandH(R||b) - Alice can cheat by calculatingH(R|| "heads") andH(R|| "tails") and determining which value equalsH(R||b).R2) and part of the string public (R1), both of these problems can be avoided.## 4. Truths and Falsehoods

The following statements were taken from Microsoft's recently released "Safe Internet: Microsoft Privacy & Security Fundamentals" web site (http://www.microsoft.com/privacy/safeinternet/) and their "The Ten Immutable Laws of Security" page (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/security/10imlaws.asp).For each of these statements, indicate whether the statement is

true,misleadingor anoutright falsehood.Supportyour answer with 1-3 sentences. An incorrect, but well-supported answer is worth more credit that a correct, poorly-supported answer. Some parts of the statements areboldto focus your attention.

Note:We show what we believe is the "best" answer here, but it was possible to get full credit on each of these subparts with a good justification of any other answer (and possible to get no credit by having the "best" answer with inadequate justification).a.(7) Unless your e-mail application providesencryption features such as the use of digital signatures, your messages are about asprivateas a letter sent in an unsealed envelope.Outright Falsehood.Digital signatures (like physicial signatures) provideauthenticity, notprivacy. Anyone can read a signed message by decrypting using the signer's public key. (Various full credit answers answeredTrueand explained that a sealed envelope doesn't really protect privacy either, since of course, any intercepter can open it. I believe its giving Microsoft too much credit to interpret this statement as meaning an unsigned message is like an unsealed envelope because you can't trust it came from the claimed sender, but a digitally signed message is like a sealed envelope because you can do a DNA test on the seal saliva to confirm it matches the purported sender's.)b.(6) For those messages that require strong security, numerous encryption options are available. If you use Microsoft® Outlook® or Outlook Express, you can turn on the application's security options. Even though most communications don't requires this level of security,when in doubt, encrypt it.MisleadingorOutright Falsehood. Sending out ciphertext unnecessarily is risky. The more ciphertext an attacker has, the better likelihood she can break the cipher. Historically, many of the WWII ciphers were broken when careless operators sent something encrypted that was not top secret and got lazy and made mistakes with the encryption process (of course laziness and mistakes are not a concern when the encryption is done by software). From a pragmatic standpoint, most modern ciphers are strong enough that the amount of ciphertext revealed even in all your emails would be unlikely to help any realistic attack. Perhaps a greater concern, is if you are recklessly encrypting (and worse, signing) messages that an attacker can control. For example, if you were to sign and encrypt messages you forwarded. A clever attacker could construct a message such that if you signed the message (or a hash of the message) it would reveal useful properties about your private key.c.(6) The key to strong passwords lies in theirlength and unfamiliarity. Passwords witheight characters are harder to crackthan passwords with four or six characters. Passwords that mix letters and numbers or punctuation symbols (hyphens, for instance) are even more difficult.Misleading. The reason I think its misleading is that an eight character, repeated use passowrd cannot really be consideredstrong. L0ftcrack (now LC3) can break 90% of passwordsovereight characters required to include mixed case, letters, numbers and symbols within 48 hours (on a Pentium II/300). Its true that longer passwords are harder to crack, but its misleading to claim they are strong.d.(6) Many operating systems and cryptographic software products give you an option to store cryptographic keys on the computer. The advantage is convenience - you don't have to handle the key - but it comes at the cost of security. The keys are usually obfuscated (that is, hidden), and some of the obfuscation methods are quite good. But in the end,no matter how well-hidden the key is, if it's on the machine it can be found.True. If the whole key can be produced by the legitimate program from information on the machine, then it can also be discovered by a rogue program using the same information. Splitting the key in different locations (using XOR), or encrypting it using another key (which also has to be stored somewhere) can make it harder to find, but not impossible. Given that an attacker can probably examine the binary of the legitimate and find out how it produces the key, it is not so hard for the attacker to do the same thing. This is why programs that try to keep keys secret from users like Adobe eBook are inevitably broken (seeInside eBook Security, Dr. Dobb's Journal November 2001), and try to protect their keys by putting programmers in jail.

University of Virginia Department of Computer Science CS 588: Cryptology - Principles and Applications |
David Evansevans@cs.virginia.edu |