Add to collection(s) Add to saved
  1. No category
Uploaded by 杨朝辉

ECE-571-HW-2, Network security and Cryptography

advertisement 
Homework 2
1. If the useful life of DES was about 20 years (1977-1999), how long do
you predict the useful life of AES (128-bits key) to be? Justify your answer.
(Hint: you may need to consider the answer of the above problem, and
Moore’s Law (Google it) in order to answer this problem.)
128-bit AES is equivalent with
*DES. Suppose the cracking ability (computing ability)
is twice of that in each previous year, so it will take about 56 years to crack AES out.
2. Prove the decryption in a Feistel cipher can be done by applying the
encryption algorithm to the ciphertext, with the key schedule reserved.
(Problem 3.2 from Stinson's book)
Note: it doesn't need to be very formal; you just need to have a convincing argument to show
the point. This problem is very similar to Problem 4.7 in the textbook.
In the i-th round encryption process,
thus the last i-th decryption process could be expressed as
which is equivalent with re-applying the encryption algorithm with the specific key
reserved.
3. What is the output of the first round of DES when the plaintext and the
key are both all zeros? What if the plaintext and the key are all ones?
(Complete details of each DES round can be found in the textbook
appendix S, or here: http://page.math.tu-berlin.de/~kant/teaching/hess/kr
ypto-ws2006/des.htm )
Since the plaintext and the key are both 0's, the input of 1st round is
According to the Feistel cipher: by expanding
i.e.,
. Then
XORed
=
into 48-bit data, the result is also all 0's,
. Thus,
To apply the DES S-boxes and P-table, first split
Therefore, the result is Concatenate(
,
into eight 6-bit strings, then
), i.e.,
0000 0000 0000 0000 0000 0000 0000 0000 1101 1000 1101 1000 1101 1011 1011 1100
4. An important property which makes DES secure is that the S-boxes are
nonlinear. Verify the nonlinearity of the S-boxes by computing the output
of box , for three pairs of inputs. Then show that
for
a. x1 = 000000, x2 = 000001
b. x1 = 111111, x2 = 100000
c. x1 = 101010, x2 = 010101
The first S-box is shown below:
Denote
below:
a.
,
,
b.
,
,
c.
,
,
5. Assume that bit 57 of a 64 plaintext block is 1 with all other bits equal
to zero. Let the key be all zeros.
a. How many S-boxes get different inputs compared to the case of an allzero plaintext, in the first round of DES?
b. What is the number of output bits which are different compared to the
input after the first round?
c. How many output bits have actually changed after the first round
compared to the case of an all-zero plaintext (consider only one round).
Does DES exhibit the avalanche effect (small changes in the plaintext yield
significant changes in the ciphertext)?
Do not forget to apply the initial permutation on the plaintext before passing it through the
DES round.
Pliantext:
Where
means concatenation.
After the initial permutation based on P-table,
the 1st round is
By expanding the bits of
,
is obtained. Then the input of
is obtained. Then with XORed with the key
the result is also
Through the DES eight S-boxes, the output is
Then after P permutation, the output is
that is
.
Thus the output of 1st round encryption
is
,
0000 0000 0000 0000 0000 0000 0000 0000 1010 0000 1011 0000 1011 0111 0011 1101
a. Inputs of S1, S8, and (S2, …, S7) are different as the above
b. There are 15 bits in the output different with that in the input
c. By comparing "0000 0000 0000 0000 0000 0000 0000 0000 1101 1000 1101 1000 1101
1011 1011 1100" with "0000 0000 0000 0000 0000 0000 0000 0000 1010 0000 1011 0000
1011 0111 0011 1101", the number of different bits is 13.
Since the difference between inputs lies on only 1 bit, while corresponding outputs differ
at 13 bits, the "avalanche effect" is obvious.
6. Compare AES to DES. For each of the following elements of DES,
indicate the comparable element in AES or explain why it is not needed in
AES.
a. XOR of subkey material with the input to the f function
b. XOR of the f function output with the left half of the block
c. f function
d. permutation P
e. swapping of halves of the block (Problem 6.6 from the textbook)
DES encryption pipeline per round: Feistel cipher
AES encryption pipeline per round: ByteSub( ) –> ShiftRows( ) –> MixColumns( ) –>
AddRoundKey( )
a. adding round keys
b. not demanded in AES since AES do not belong to Feistel cipher
c. Byte substitution (both use S-box)
d. shifting rows and mixing columns
e. it does not consists of this step
7. Consider the following alternative method of encrypting a message. To
encrypt a message, use the algorithm for doing a CBC decrypt. To decrypt
a message, use the algorithm for doing a CBC encrypt. Would this work?
What are the security implications of this, if any, as contrasted with the
“normal” CBC?
normal CBC:
encryption:
Decryption:
herein CBC:
encryption:
decryption:
is exactly the inverse process of encryption
Thus herein this kind of en/decryption algorithm really works.
Because this algorithm does not demonstrate the cascade feature of cipher when
encrypting, its hidden security danger is apparent with this algorithm. Although with
different IV values, if the input is the same plaintext, the outputs are different with only
the 1st block but are the same on the rest all blocks.
8. For any block cipher, the fact that it is a nonlinear function is crucial to
its security. To see this, suppose that we have a linear block cipher EL that
encrypts 256-bit blocks of plaintext into 256-bit blocks of ciphertext. Let
EL(k, m) denote the encryption of a 256-bit message m under a key k (the
actual bit length of k is irrelevant). Thus,
EL(k, [m1⊕
⊕ m2]) = EL(k, m1) ⊕ EL(k, m2) for all 128-bit patterns m1, m2.
Describe how, with 256 chosen ciphertexts, an adversary can decrypt any
ciphertext without knowledge of the secret key k. (A “chosen ciphertext”
means that an adversary has the ability to choose a ciphertext and then
obtain its decryption. Here, you have 256 plaintext/ciphertext pairs to
work with and you have the ability to choose the value of the
ciphertexts.) (Problem 4.5 from textbook)
Denote
,
, i.e., only the -th (from-low-to-high-bit) entry
of the 256-bit string is 1 while all others are 0's. For any given plaintext or ciphertext , it
could be expressed as
For the linear cipher EL, its encryption and decryption both demonstrate linearity. Thus,
in "chosen-ciphertext" attack, if we chose
, the cipher is cracked already.
For instance, for any unknown cipher , its coefficients
corresponding plaintext to decrypt is (notice that
9. Find keys K such that for
is obvious acquired, then the
)
,
Such a key is sometimes called a “weak” key. How many weak keys can you find? To
solve this problem you need to look up the exact key schedule generation
algorithm for DES. For details refer to http://page.math.tu-berlin.de/~kant/teachin
g/hess/krypto-ws2006/des.htm (Show your work or you will receive zero credit!)
Due to the conclusion of Problem 1 in the above, to ensure
, there must be
It is equivalent with that in each round the same subkey is generated, which means
rotating all 0's or all 1's. Therefore, there are four weak keys as follows in hexadecimal:
Related documents
CS 472 Network and Systems ecurity Open Book & Notes
CS 472 Network and Systems ecurity Open Book & Notes
Q. A typical combination lock (A) requires three turns between... have a special combination lock (B) that requires five turns...
Q. A typical combination lock (A) requires three turns between... have a special combination lock (B) that requires five turns...
ELEC 5200-001/6200-001 Computer Architecture and Design Fall 2007 Homework 9 Problems
ELEC 5200-001/6200-001 Computer Architecture and Design Fall 2007 Homework 9 Problems
Cover Letter
Cover Letter
Download
advertisement