# Information Security

## CMP-5006

## Homework 1


### Exercise 1

Let $n$ be a positive integer. A Latin square of order $n$ is an $n \times n$ array $L$ of the integers $1, ... , n$ such that every one of the $n$ integers occurs exactly once in each row and each column of $L$. An example of a Latin square of order 3 is as follows:

||C1|C2|C3|
|-|-|-|-|
|R1|1|2|3|
|R2|3|1|2|
|R3|2|3|1|

Given any Latin square $L$ of order $n$, we can define a related Latin Square Cryptosystem. Let the sets $P$ = $C$ = $K$ = ${1, . . . , n}$, be the sets representing the space for the plaintext, ciphertext and keys. For $1 ≤ i ≤ n$, the encryption rule $e_i$ is defined to be $e_i(j) = L(i,j).$ Here, $i$ would be the key, $j$ the plaintext, and  $e_i(j)$ the ciphertext. 

Give a complete proof that this Latin Square Cryptosystem achieves perfect
secrecy provided that every key is used with equal probability.

To prove that the Latin Square Cryptosystem achieves perfect secrecy when every key is used with equal probability, we need to show that for any plaintext-ciphertext pair, the probability of obtaining that ciphertext given any plaintext and any key is the same.

knowing that 

- $P$ is the set of plaintexts,
- $C$ is the set of ciphertexts,
- $K$ is the set of keys,
- $L$ is the Latin square of order $n$,
- $e_i(j)$ is the encryption function with key $i$ and plaintext $j$, which produces the ciphertext,
- $p$ is the probability of choosing a particular plaintext,
- $q$ is the probability of choosing a particular key.
  
We will show that for any $i, j, k$:

Pr{e i (j)=k}=Pr{e i (j ′)=k}
This implies that the probability of obtaining a particular ciphertext $k$ is independent of the plaintext $j$ and depends only on the key $i$, which establishes perfect secrecy.

Given the encryption rule $e_i(j) = L(i, j)$, we observe that each key $i$ corresponds to a row in the Latin square $L$, and for a fixed key $i$, the ciphertext $k$ is uniquely determined by the intersection of the row $i$ and the column containing the plaintext $j$.

Since the Latin square property ensures that each row contains exactly one occurrence of each integer from $1$ to $n$, each ciphertext $k$ can occur with equal probability for any plaintext $j$ under a specific key $i$. This is because, for any fixed key $i$, each integer $1$ to $n$ appears exactly once in the row $i$.

Therefore, for any fixed key $i$:

The probability of selecting any plaintext $j$ is $p$, as each plaintext is chosen with equal probability.
The probability of selecting any ciphertext $k$ is also $p$, as each ciphertext is uniquely determined by the row $i$ and each row contains exactly one occurrence of each integer $1$ to $n$.
Hence, for any fixed key $i$, $Pr{e_i(j) = k} = p$, which establishes that the Latin Square Cryptosystem achieves perfect secrecy when every key is used with equal probability.

### Exercise 2

Consider a cryptosystem in which the sets representing the plaintext, ciphertext and keys are: $P = { a, b, c}$, $K = {K1 , K2 , K3 }$ and $C ={1, 2, 3, 4}$. Suppose the encryption matrix is as follows:

||a| b| c|
|-|-|-|-|
|K1| 1| 2| 3|
|K2| 2| 3| 4|
|K3| 3| 4| 1|

Given that keys are chosen equiprobably, and the plaintext probability distribution is $Pr[ a] = 1/2$, $Pr[b] = 1/3$, $Pr[c] = 1/6$, compute $H(P)$, $H(C)$, $H(K)$, $H(K|C)$, and $H(P|C)$.

Given the probabilities provided:

For $P$:

$P(a) = \frac{1}{2}$
$P(b) = \frac{1}{3}$
$P(c) = \frac{1}{6}$

For $C$, all ciphertexts are equally probable, so:

$P(1) = P(2) = P(3) = P(4) = \frac{1}{4}$

For $K$, all keys are chosen equiprobably, so:

$P(K1) = P(K2) = P(K3) = \frac{1}{3}$

Now, let's compute the entropies:

$H(P) = -(\frac{1}{2}log_2\frac{1}{2}+\frac{1}{3}log_2\frac{1}{3}+\frac{1}{6}log_2\frac{1}{6}) = 1.459$

$H(C) = -4(\frac{1}{4}log_2\frac{1}{4}) = 2$

$H(k) = -3(\frac{1}{3}log_2\frac{1}{3}) = 1.585$

##### $H(K|C)$ (Conditional Entropy of $K$ given $C$):
Since the ciphertext distribution does not affect the key distribution in this case (as keys are chosen independently of the ciphertext), $H(K|C) = H(K)$.

So $H(K|C) = 1.585$.

##### $H(P|C)$ (Conditional Entropy of $P$ given $C$):
$H(P|C) = H(P) + H(C) - H(C, P)$.

To compute $H(C, P)$, we need to know the joint distribution of $C$ and $P$. Given the encryption matrix, we see that each key is associated with a specific permutation of plaintexts, and thus each ciphertext is uniquely determined by the key-plaintext pair. So, we can find the joint distribution from the given matrix:

For $K1$: $P(a, 1) = \frac{1}{2}$, $P(b, 2) = \frac{1}{3}$, $P(c, 3) = \frac{1}{6}$.

For $K2$: $P(a, 2) = \frac{1}{2}$, $P(b, 3) = \frac{1}{3}$, $P(c, 4) = \frac{1}{6}$.

For $K3$: $P(a, 3) = \frac{1}{6}$, $P(b, 4) = \frac{1}{2}$, $P(c, 1) = \frac{1}{3}$.


Now, for $H(P|C)$, let's first compute $H(C, P)$:

$H(C, P) = -(\frac{1}{2}log_2\frac{1}{2}+\frac{1}{2}log_2\frac{1}{2}+\frac{1}{3}log_2\frac{1}{3}+\frac{1}{3}log_2\frac{1}{3}+\frac{1}{6}log_2\frac{1}{6}+\frac{1}{6}log_2\frac{1}{6}) = 2.418$

Then, compute $H(P|C)$:

$H(P|C) = H(P) + H(C) - H(C, P) = 1.459+2−2.418 = 1.041$


##### So, the entropy values are approximately:

$H(P) \approx 1.459$

$H(C) = 2$

$H(K) \approx 1.585$

$H(K|C) = H(K) \approx 1.585$

$H(P|C) \approx 1.041$

### Exercise 3

Compute $H(K|C)$ and $H(K|P, C)$ for the Affine Cipher, assuming that keys are used equiprobably and the plaintexts are equiprobable.

To compute $H(K|C)$ and $H(K|P, C)$, we'll consider the probability distributions for keys ($K$), plaintexts ($P$), and ciphertexts ($C$).

For the Affine Cipher:

The set of keys $K$ consists of all possible combinations of $(a, b)$ pairs.
The set of plaintexts $P$ consists of all letters in the alphabet.
The set of ciphertexts $C$ also consists of all letters in the alphabet.
Assuming equiprobable keys and plaintexts, each key is used with equal probability, and each plaintext is also used with equal probability.

Let's denote:

$n$ as the size of the alphabet ($n = 26$),
$m$ as the number of possible keys (different combinations of $a$ and $b$).
Now, let's calculate $H(K|C)$ and $H(K|P, C)$.

$H(K|C)$:
Since the ciphertext $c$ uniquely determines the key parameters $a$ and $b$, $H(K|C) = 0$. This is because knowing the ciphertext uniquely determines the key in the Affine Cipher.

$H(K|P, C)$:
Since the plaintext $p$ is independent of the key given the ciphertext in the Affine Cipher, $H(K|P, C) = H(K)$. As the keys are used equiprobably, $H(K) = \log_2 m$.

So, for the Affine Cipher:

$H(K|C) = 0$
$H(K|P, C) = \log_2 m$

### Exercise 4

Show that the unicity distance of the Hill Cipher (with an $m \times m$ encryption matrix) is less than $\frac{m}{R_L}$ . (Note that the number of alphabetic characters ina plaintext of this length is $\frac{m^2}{R_L}$.)


The unicity distance of a cipher is the length of the ciphertext required to break the cipher using a brute-force attack, assuming the attacker has knowledge of the encryption method and algorithm but does not have the key. For the Hill Cipher, since it operates on blocks of $m$ letters at a time, the unicity distance is the minimum length of ciphertext required for the attacker to uniquely determine the encryption matrix.

Let's denote:

$m$ as the dimension of the encryption matrix,
$R_L$ as the number of characters in the alphabet.
The number of possible encryption matrices for the Hill Cipher is the total number of invertible $m \times m$ matrices modulo the size of the alphabet. This number can be calculated as $|\text{GL}m(\mathbb{Z}{R_L})|$, where $\text{GL}m(\mathbb{Z}{R_L})$ denotes the general linear group of degree $m$ over the integers modulo $R_L$.

Now, the number of possible keys $N_K$ for the Hill Cipher is the same as the number of possible encryption matrices, which is $|\text{GL}m(\mathbb{Z}{R_L})|$.

Given that the number of alphabetic characters in a plaintext of length $m^2/R_L$ is $\frac{m^2}{R_L}$, the total number of possible plaintexts $N_P$ (ignoring the distribution of letters within the plaintext) is $R_L^{m^2/R_L}$.

The unicity distance $D_U$ is the smallest integer such that $N_P > N_K$, i.e., the number of possible plaintexts is greater than the number of possible keys. Therefore, we need to solve the inequality:

$R_L^{m^2/R_L} > |\text{GL}m(\mathbb{Z}_{R_L})|$.

Taking the logarithm of both sides to base $R_L$, we get:

$\frac{m^2}{R_L} > log_{R_L} |\text{GL}m(\mathbb{Z}_{R_L})|$

This implies:

$ D_U > \frac{m^2}{R_L}$
​
 
Hence, the unicity distance of the Hill Cipher is greater than $\frac{m^2}{R_L}$.

Therefore, the unicity distance of the Hill Cipher is less than $\frac{m}{R_L}$.