HW1 (due Sep. 26) 1. Using the letter encodings in the Table of the lecture notes, the following ciphertext message was encrypted with a one-time pad KITLKE. If the plaintext is “thrill,” what is the key? if the plaintext is “tiller,” what is the key? 2. Suppose that you have a message consisting of 1024 bits. Design a method that will extend a key that is 64 bits long into a string of 1024bits. Then this 1024 bits will be XORed with the message, just like a one-time pad. Is the resulting cipher as secure as a one-time pad? Is it possible for any such cipher to be as secure as a one-time pad? 3. The formula for counter mode encryption is Ci = Pi ⊙ E(IV+i, K) Suppose instead we use the formula Ci = Pi ⊙ E(K, IV+i) Is this secure? If so, why? If not, describe an attack. 4. Consider a Feistel cipher with four rounds and P = (L0, R0). What is the ciphertext C if the round function is a. F(Ri-1,Ki) = Kj b. F(Ri-1,Ki) = Ri-1 ⊙Kj 5. Alice has four blocks of plaintext, P0, P1, P2, P3, which she encrypts using CBC mode to obtain C0, C1, C2, C3. She then sends the IV and ciphertext to Bob. Upon receiving the ciphertext, Bob plans to verify the integrity as follows. He’ll first decrypt to obtain the putative plaintext, and then he’ll re-encrypt this plaintext using CBC mode and the received IV. If he obtains the same C3 as the final ciphertext block, he will trust the integrity of the plaintext. a. Suppose that Trudy changes C1 to a random value X (leaving all other blocks and the IV unchanged). Will Bob detect that the data lacks integrity? b. Suppose that Trudy changes C3 to a random value Y (leaving all other blocks and the IV unchanged). Will Bob detect that the data lacks integrity? 6. Suppose Alice has four blocks of plaintexts, P0, P1, P2, P3 and she computes a MAC using key K1, and then CBC encrypts the data using key K2 to obtain C0, C1, C2, C3. Alice sends the IV, the ciphertext, and the MAC to Bob. However, Trudy intercepts the message and replaces C 1 with X, so that Bob receives the IV, C0, X, C2, C3, and the MAC. Bob attempts to verify the integrity of the data by decrypting (using key K2) and the computing MAC (using a key K1) on the putative plaintext. a. Show that Bob will detect Trudy’s tampering. b. Suppose that Alice and Bob only share a single symmetric key K. They agree to let K 1=K and K2=K⊙Y, where Y is known to Alice, Bob, and Trudy. Does this create any security problem?