Homework 2 1. If the useful life of DES was about 20 years (1977-1999), how long do you predict the useful life of AES (128-bits key) to be? Justify your answer. (Hint: you may need to consider the answer of the above problem, and Moore’s Law (Google it) in order to answer this problem.) 128-bit AES is equivalent with *DES. Suppose the cracking ability (computing ability) is twice of that in each previous year, so it will take about 56 years to crack AES out. 2. Prove the decryption in a Feistel cipher can be done by applying the encryption algorithm to the ciphertext, with the key schedule reserved. (Problem 3.2 from Stinson's book) Note: it doesn't need to be very formal; you just need to have a convincing argument to show the point. This problem is very similar to Problem 4.7 in the textbook. In the i-th round encryption process, thus the last i-th decryption process could be expressed as which is equivalent with re-applying the encryption algorithm with the specific key reserved. 3. What is the output of the first round of DES when the plaintext and the key are both all zeros? What if the plaintext and the key are all ones? (Complete details of each DES round can be found in the textbook appendix S, or here: http://page.math.tu-berlin.de/~kant/teaching/hess/kr ypto-ws2006/des.htm ) Since the plaintext and the key are both 0's, the input of 1st round is According to the Feistel cipher: by expanding i.e., . Then XORed = into 48-bit data, the result is also all 0's, . Thus, To apply the DES S-boxes and P-table, first split Therefore, the result is Concatenate( , into eight 6-bit strings, then ), i.e., 0000 0000 0000 0000 0000 0000 0000 0000 1101 1000 1101 1000 1101 1011 1011 1100 4. An important property which makes DES secure is that the S-boxes are nonlinear. Verify the nonlinearity of the S-boxes by computing the output of box , for three pairs of inputs. Then show that for a. x1 = 000000, x2 = 000001 b. x1 = 111111, x2 = 100000 c. x1 = 101010, x2 = 010101 The first S-box is shown below: Denote below: a. , , b. , , c. , , 5. Assume that bit 57 of a 64 plaintext block is 1 with all other bits equal to zero. Let the key be all zeros. a. How many S-boxes get different inputs compared to the case of an allzero plaintext, in the first round of DES? b. What is the number of output bits which are different compared to the input after the first round? c. How many output bits have actually changed after the first round compared to the case of an all-zero plaintext (consider only one round). Does DES exhibit the avalanche effect (small changes in the plaintext yield significant changes in the ciphertext)? Do not forget to apply the initial permutation on the plaintext before passing it through the DES round. Pliantext: Where means concatenation. After the initial permutation based on P-table, the 1st round is By expanding the bits of , is obtained. Then the input of is obtained. Then with XORed with the key the result is also Through the DES eight S-boxes, the output is Then after P permutation, the output is that is . Thus the output of 1st round encryption is , 0000 0000 0000 0000 0000 0000 0000 0000 1010 0000 1011 0000 1011 0111 0011 1101 a. Inputs of S1, S8, and (S2, …, S7) are different as the above b. There are 15 bits in the output different with that in the input c. By comparing "0000 0000 0000 0000 0000 0000 0000 0000 1101 1000 1101 1000 1101 1011 1011 1100" with "0000 0000 0000 0000 0000 0000 0000 0000 1010 0000 1011 0000 1011 0111 0011 1101", the number of different bits is 13. Since the difference between inputs lies on only 1 bit, while corresponding outputs differ at 13 bits, the "avalanche effect" is obvious. 6. Compare AES to DES. For each of the following elements of DES, indicate the comparable element in AES or explain why it is not needed in AES. a. XOR of subkey material with the input to the f function b. XOR of the f function output with the left half of the block c. f function d. permutation P e. swapping of halves of the block (Problem 6.6 from the textbook) DES encryption pipeline per round: Feistel cipher AES encryption pipeline per round: ByteSub( ) –> ShiftRows( ) –> MixColumns( ) –> AddRoundKey( ) a. adding round keys b. not demanded in AES since AES do not belong to Feistel cipher c. Byte substitution (both use S-box) d. shifting rows and mixing columns e. it does not consists of this step 7. Consider the following alternative method of encrypting a message. To encrypt a message, use the algorithm for doing a CBC decrypt. To decrypt a message, use the algorithm for doing a CBC encrypt. Would this work? What are the security implications of this, if any, as contrasted with the “normal” CBC? normal CBC: encryption: Decryption: herein CBC: encryption: decryption: is exactly the inverse process of encryption Thus herein this kind of en/decryption algorithm really works. Because this algorithm does not demonstrate the cascade feature of cipher when encrypting, its hidden security danger is apparent with this algorithm. Although with different IV values, if the input is the same plaintext, the outputs are different with only the 1st block but are the same on the rest all blocks. 8. For any block cipher, the fact that it is a nonlinear function is crucial to its security. To see this, suppose that we have a linear block cipher EL that encrypts 256-bit blocks of plaintext into 256-bit blocks of ciphertext. Let EL(k, m) denote the encryption of a 256-bit message m under a key k (the actual bit length of k is irrelevant). Thus, EL(k, [m1⊕ ⊕ m2]) = EL(k, m1) ⊕ EL(k, m2) for all 128-bit patterns m1, m2. Describe how, with 256 chosen ciphertexts, an adversary can decrypt any ciphertext without knowledge of the secret key k. (A “chosen ciphertext” means that an adversary has the ability to choose a ciphertext and then obtain its decryption. Here, you have 256 plaintext/ciphertext pairs to work with and you have the ability to choose the value of the ciphertexts.) (Problem 4.5 from textbook) Denote , , i.e., only the -th (from-low-to-high-bit) entry of the 256-bit string is 1 while all others are 0's. For any given plaintext or ciphertext , it could be expressed as For the linear cipher EL, its encryption and decryption both demonstrate linearity. Thus, in "chosen-ciphertext" attack, if we chose , the cipher is cracked already. For instance, for any unknown cipher , its coefficients corresponding plaintext to decrypt is (notice that 9. Find keys K such that for is obvious acquired, then the ) , Such a key is sometimes called a “weak” key. How many weak keys can you find? To solve this problem you need to look up the exact key schedule generation algorithm for DES. For details refer to http://page.math.tu-berlin.de/~kant/teachin g/hess/krypto-ws2006/des.htm (Show your work or you will receive zero credit!) Due to the conclusion of Problem 1 in the above, to ensure , there must be It is equivalent with that in each round the same subkey is generated, which means rotating all 0's or all 1's. Therefore, there are four weak keys as follows in hexadecimal: