Cryptography CS 507 Computer Science and Engineering Department

Homework #3
1. Even though extremely secure cryptographic algorithms are used, cryptosystems can
sometimes be broken due to hat is knon as a protocol failure! "his exercise
demonstrates such a protocol #ailure, or a careless use o# cryptographic algorithms! $et us
assume %ob has an &S' cryptosystems ith a very large modulus hose #actori(ation is
hard to #ind )e!g! the modulus is *0+,-bit long.! 'lice ants to send a message to %ob by
representing each alphabetic character as an integer beteen 0 and +5)i!e! '/0, %/*, and
so on. and then encrypting each letter as a separate plaintext character using %ob0s public
key!
a. Describe your cryptanalytic approach to break this cryptosystem!
b. Demonstrate that your approach is use#ul to break such an &S' cryptosystem using
the #olloing setting1 %ob0s public key is )***2345**7, 7. and 'lice encrypted her
plaintext and obtained the ciphertext )*, *324,, ,*0224372, +75523, 0, 2542*404,
*05,*250,, 45247*725, *+4, *05,*250,, 2542*404, *324,, 3*+++002+, 74*+5,
,*0224372, *05,*250,, 2542*404, *, *324,, *2*720553, 0, ,*0224372, 2542*404,
*332*,442, +*47, *332*,442.! Do not factor the modulus!
c. Describe your suggestion #or #ixing this problem! "he goal is that the encryption
#unction yields di##erent ciphertexts #or the same plaintext! (10 points)
(a) 6scar can easily prepare a dictionary o# alphabet characters and their encrypted
versions! "he dictionary ould be sorted and indexed according to the ciphertext
column! 6scar can break an eavesdropped ciphertext into ciphertext characters and
convert to plaintext by a simple and e##icient dictionary lookup procedure!
(b) 7e prepare a table by #irst converting readable characters into integers in 8
+3
and then
by encrypting each integer using &S' ith n / ***2345**7 and e / 7!
A B C D E
0 0 * * + *+4 2 +*47 , *324,
F G H !
5 74*+5 3 +75523 7 4+25,2 4 +057*5+ 5 ,74+535
" # $ % &
*0 *0000000 ** *5,47*7* *+ 2542*404 *2 3+7,45*7 *, *05,*250,
' ( ) * +
*5 *70455275 *3 +344,25,53 *7 ,*0224372 *4 3*+++002+ *5 45247*725
, - . / 0
+0 *332*,442 +* 347,02,+, ++ +3354735, +2 32770053 +, *2*720553
1
+5 5250500,0
(c) One way of fxing this problem is to encrypt several letters at once. But
even with this approach, RSA is still a deterministic cryptosystem, that is,
the same seuence of plaintext letters maps to the same ciphertext. "he
encryption may be chained )e!g! C%C, 69% etc!. and the initial message text should be
randomi(ed, perhaps ith a timestamp or a pseudo-random number!
2. 7hat is the output o# the #irst iteration o# the DES algorithm hen the both plaintext and
the key are all (ero: (10 points)
"he 3,-bit input is x
0
/00!!!0 )3,-(eroes.! "he initial permutation has no e##ect! ;ence
$
0
/00!!!0 )2+-(eroes. and &
0
/00!!!0 )2+-(eroes.! 'pplying the key schedule hich is a
#ixed permutation on the input bits o# the key yields the round key <
*
/ )00!!0. ),4-(eroes.!
"he round computes &
*
/$
0
=6& #)&
0
, <*.
"he #-#unction
(a) 9irst expands &
0
into ,4-bit long bitstring using a #ixed permuted expansion rule!
Since only permutations and repetitions are used this ill yield a ,4-bit 0 string!
(b) "he result is =6&ed ith <*, hich produces a ,4-bit (ero string!
(c) "he ,4-bit 0 string is divided into eight 3-bit chunks and the ith chunk is trans#ormed
under the rule speci#ied in the Si box! 000000 is mapped 4 times ith boxes Si i/*,!!,4
and produces the #olloing se>uence o# ,-bit values1 *,, *5, *0, 7, +, *+, ,, *2! ?n
binary e obtain the #olloing se>uence1
***0 **** *0*0 0*** 00*0 **00 0*00 **0*
(d) 9inally the bit-string is permuted according to the @ table to the #olloing1
**0* *000 **0* *000 **0* *0** *0** **00
"his is the result o# #)&
0
.,<*.
"he right hal# &
*
/$
0
=6& #)&
0
.,<*. is simply the output o# #)&
0
.,<*. since the $
0
is
(ero! $
*
/ &
0
/ )00!!0. )2+-(eroes.! Concatenating both yields the #olloing 3,-bit
string, hich is the output o# round *!
0000 0000 0000 0000 0000 0000 0000 0000 **0* *000 **0* *000 **0* *0** *0** **00
3. DES has a somehat surprising property related to bitise complements o# its inputs
and output! 7e ill investigate the property in this problem! 7e denote the bitise
complement o# a number ' )that is, all bits are A#lippedB. by '0! 7e ant to sho that
i#
y / DES
k
)x.
then
y / DES
k
)x0.!
"his states that i# e complement the plaintext and the key, then the ciphertext output
ill also be the complement o# the original ciphertext! Cour task is to prove this
property! (20 points)
"o prove the statement e make the #olloing observations1
"he initial and #inal permutations are simple rearrangements and there#ore do
preserve the complements1 ?@)xD. / )?@)x..D and ?@
-*
)xD. / )?@
-*
)x..D
'll rounds are identicalE proving that one round generates a complemented
output #or a complemented input proves that all rounds behave similarly!
?n round i, the #olloing is computed
&
i
/$
i-*
#)&
i-*
, <
i
.!
?n the computation o# the #-#unction, the expansion o# the input clearly preserves
complements since its a simple permutation ith some additional repetitions1
E)xD./)E)x..D! Similarly the key-schedule preserves the complement! "he =6& o# <
i

and E)xD. yields <
i
D E)xD. / <
i
D E)x.D / <
i
E)x.! "his #ollos #rom a basic
property o# the =6& #unction aD bD / a b! "hus, the input to the S-boxes ill be
identical to the uncomplemented case! Conse>uently, e end up ith the #olloing
interesting property1
#)&
i-*
D, <
i
D. / #)&
i-*
, <
i
.
"he round computation becomes
&
i
/$
i-*
D #)&
i-*
D, <
i
D.
&
i
/$
i-*
D #)&
i-*
, <
i
.
&
i
/ $
i-*
D * #)&
i-*
, <
i
. / )$
i-*
#)&
i-*
, <
i
..D!
"his shos that the right hal# is complemented hen the input and the key is
complemented! "he le#t hal# is simply the copy o# the right hal# in the previous round!
;ence, the entire output is complemented!
4. $et K / ***F*** be the DES key consisting o# all *0s!
a. Sho that i# DES
K
)x. / y, then i# DES
K
)y. / x, so encryption tice ith this key
returns the plaintext!
b. 9ind another key ith the same property as K in part )a.! (20 points)
a! ?# the #olloing condition #or round keys hold the encryption operation in DES ill be
identical to decryption operation1
<
i
/ <
*7-i
#or * i *3
?t is easy to see that this condition holds hen a DES key is all ones or all (eros!
b! 'll (eros key ould be trivial #or this! "he #our DES eak keys and the corresponding
C
0
and D
0
pairs are shon in the table belo!
7eak keys )hexadecimal. C
0
D
0
0*0* 0*0* 0*0* 0*0* 'll (eros 'll (eros
9E9E 9E9E 9E9E 9E9E 'll ones 'll ones
*9*9 *9*9 0E0E 0E0E 'll (eros 'll ones
E0E0 E0E0 9*9* 9*9* 'll ones 'll (eros
5. (AE*) Sho the #irst eight ords o# the key expansion #or a *+4-bit key o# all (eros in
'ES! (10 points)

=
0x0
0x0
0x0
0x0
. 0 ) W
,

=
0x0
0x0
0x0
0x0
. * ) W
,

=
0x0
0x0
0x0
0x0
. + ) W
,

=
0x0
0x0
0x0
0x0
. 2 ) W

=
0x32
0x32
0x32
0x3+
. , ) W
,

=
0x32
0x32
0x32
0x3+
. 5 ) W
,

=
0x32
0x32
0x32
0x3+
. 3 ) W
,

=
0x32
0x32
0x32
0x3+
. 7 ) W
6. (AE*) Given the plaintext H000*0+020,05030704050'0%0C0D0E09I and the key
H0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*0*I
c. Sho the original contents o# *tate, displayed as a ,, matrix!
d. Sho the value o# *tate a#ter initial 'dd&oud<ey!
e. Sho the value o# *tate a#ter Sub%ytes!
f. Sho the value o# *tate a#ter Shi#t&os
7. Sho the value o# *tate a#ter JixColumns! (15 points)
a!
state /

F B
E A
D
C
0 0 07 02
0 0 03 0+
0 05 05 0*
0 04 0, 00
b! 'dd 0
th
round key
<ey /

0* 0* 0* 0*
0* 0* 0* 0*
0* 0* 0* 0*
0* 0* 0* 0*

F B
E A
D
C
0 0 07 02
0 0 03 0+
0 05 05 0*
0 04 0, 00

0* 0* 0* 0*
0* 0* 0* 0*
0* 0* 0* 0*
0* 0* 0* 0*
/

E A
F B
C
D
0 0 03 0+
0 0 07 02
0 04 0, 00
0 05 05 0*
c! %yte Substitution

E A
F B
C
D
0 0 03 0+
0 0 07 02
0 04 0, 00
0 05 05 0*

AB F
B C B
FE F
D B C
37 3 77
73 + 5 7
20 + 32
7 0* 3 7
d! Shi#ting &os

AB F
B C B
FE F
D B C
37 3 77
73 + 5 7
20 + 32
7 0* 3 7

37 3 77
5 7 73 +
32 20 +
7 0* 3 7
F AB
C B B
FE F
D B C
e! Jixing Column

0+ 0* 0* 02
02 0+ 0* 0*
0* 02 0+ 0*
0* 0* 02 0+

37 3 77
5 7 73 +
32 20 +
7 0* 3 7
F AB
C B B
FE F
D B C
/

B F
C B E E
E
A F E
0 54 *5 3
4 4 + 2
++ 0, 3 55
+ 0 7 7,
8. Compare 'ES to DES! 9or each o# the #olloing elements o# DES, indicate the
comparable element in 'ES or explain hy it is not needed in 'ES!
a. =6& o# subkey material ith the input to the f #unction!
b. =6& o# the f #unction output ith the le#t hal# o# the block!
c. "he f #unction!
d. @ermutation P.
e. Sapping halves o# the block (15 points)
a! 'dd&ound<ey
b! Since 'ES is not 9eistel cipher this step is not necessary!
c! %yteSub
d! Shi#t&o and JixColumn!
e! Ko Sapping o# halves!