CS409m: Introduction to Cryptography Autumn 2025

Assignment 2
August 19, 2025
Instructor: Chethan Kamath TAs: Nilabha Saha and Priyanshu Singh

Exercise 1. [Classical ciphers are sometimes secure] Let’s understand the conditions
under which some of the classical ciphers we discussed in Lecture 01 become perfectly
secure.
1. Show that (monoalphabetic) shift cipher is perfectly secure for messages of length
one, i.e., message-space {a, · · · , z}.
2. What is the maximum message-space for which (monoalphabetic) substitution ci-
pher can be perfectly secure?
Exercise 2. [Worst-case vs adversarially-selected messages] Recall the two-world defini-
tion of perfect secrecy from Lecture 03: an SKE Π = (Gen, Enc, Dec) is perfectly secret if
for every eavesdropper Eve and every (m0 , m1 ) ∈ M
Pr [Eve(c) = 0] − Pr [Eve(c) = 0] = 0
k←Gen k←Gen
c←Enc(k,m0 ) c←Enc(k,m1 )

Now, let’s consider the following alternative definition where the challenge messages
(m0 , m1 ) are chosen adversarially by (a stateful) Eve instead of being fixed worst case as
above. An SKE Π = (Gen, Enc, Dec) is said to be perfectly secret if for every (stateful)
eavesdropper Eve∗ and every (m0 , m1 ) := Eve∗
Pr [Eve∗ (c) = 0] − Pr [Eve∗ (c) = 0]
k←Gen k←Gen
c←Enc(k,m0 ) c←Enc(k,m1 )

Show that the two definitions are equivalent: that is, if Π is perfectly secure according
to the first definition then Π is also perfectly secure according to the second definition,
and vice versa.
Exercise 3. [Randomisation is useless for unbounded Eve] Recall from Lecture 03 that
an SKE Π = (Gen, Enc, Dec) is perfectly secret if for all eavesdropper Eve

Pr [Eve(c) = 0] − Pr [Eve(c) = 0] = 0
(m0 ,m1 )←Eve(1n ) (m0 ,m1 )←Eve(1n )
k←Gen(1n ) k←Gen(1n )
c←Enc(k,m0 ) c←Enc(k,m1 )

Show that the notion of perfect secrecy does not change if we allow Eve to be randomised.
That is, show that if there exists a randomised Eve′ that breaks Π then there exists a
determinisitc Eve that breaks Π. (Hint: figure out a way to fix the random coin of Eve′
that maximises its chances.)

CS409m Page 1 of 3 Assignment 2

Exercise 4. [ More on one-time pad (OTP)] Recall the definition of OTP from Lecture
03.

1. The goal of this exercise is to help you understand more about randomness in
encryption algorithm. Recall that the encryption algorithm of OTP is deterministic.
Modify OTP to come up with two perfectly-secure SKE schemes Π1 and Π2 that
have randomised encryption algorithm, and such that leaking the random coins
used in encryption leads (a) Π1 to become insecure (b) Π2 to remain secure.

2. Let’s consider OTP against a tampering adversary Tam who can modify a ciphertext
c of some message m = m0 · · · mℓ−1 ∈ {0, 1}ℓ before it reaches the recipient, Caeser’s
general. Can Tam tamper c to some ciphertext c′ such that Caeser’s general decrypts
c′ to the following. If your answer is ‘yes’, then describe Tam; if it is ‘no’, justify.

(a) m ⊕ (110ℓ−2 ), i.e., m with first two bit flipped (asssume ℓ ≥ 2)

(b) 0n
(c) m1 m0 m2 · · · mℓ−1 , i.e., the first two bits of m swapped

3. Suppose an OTP key is used to encrypt two messages m0 and m1 of your choice.
Is it possible to recover the key with certainty?

Exercise 5. [Negligible functions] Recall the definition of negligible functions from Lec-
ture 04.

1. Are fp and fM negligible, and why? Here, a Mersenne prime is a prime of the form
Mn := 2n − 1. (
1/n314159 if n is a prime
fp (n) :=
1/2n otherwise
(
1/n314159 if Mn is a Mersenne prime
fM (n) :=
1/nlog(n) otherwise

2. If ν1 and ν2 are negligible functions, which of these following functions are also
(always) negligible? In case the function is negligible, give a proof; in case not,
provide a counter-example.

(a) f+ (n) := ν1 (n) + ν2 (n)

(b) f× (n) := ν1 (n) × ν2 (n)
(c) f÷ (n) := ν1 (n) ÷ ν2 (n)

Exercise 6. [Message length in definitions] Recall the definition of adversarial indistin-

guishability (Definition 4) from Lecture 04. I didn’t stress during the lecture that the
messages m0 , m1 that Eve outputs must be of same length (i.e., |m0 | = |m1 |). You will try
to understand why through this exercise. Prove that a Π that supports arbitrary length
messages (i.e., the message-space is {0, 1}∗ ) cannot satisfy adversarial indistinguishability
if Eve is not restricted to challenging on equal length messages.

CS409m Page 2 of 3 Assignment 2

Exercise 7. [PRG or not?] Recall the definition of PRGs from Lecture 05. Let G be a
PRG that stretches from n bits to n + 1 bits. Which of the following candidates based
on G are also (always) PRGs? In case your claim is that a candidate is a PRG, provide
a proof; in case not, provide a counter-example and the efficient distinguisher.

1. Duplicating PRG: Gd (s) := s∥s, where ∥ denotes string concatenation

2. Leaky PRG: Gℓ (s∥b) := G(s)∥b, where b ∈ {0, 1}

3. Complementary PRGs G1 (s) := G(s) and G2 (s) := G(s), where for a bit-string s, s
denotes bit-complement.

4. Singly punctured PRG:

(
0|s|+1 if s of the form 0|s|
Gp (s) :=
G(s) otherwise

5. Heavily punctured PRG:

(
0|s|+1 if s of the form 0⌊log(|s|)⌋ ∥{0, 1}∗
Gh (s) :=
G(s) otherwise

6. Prefixing PRG: Gf (s) := G(0|s| ∥s)

CS409m Page 3 of 3 Assignment 2