ECE578 Final Examination
June 7, 2010
This is an open-book, take home exam. You may refer to the text and to your class notes.
You are on your honor to devote no more than three hours in total to completing the
exam. You may not collaborate with anyone in completing the exam.
This examination is due not later than 8:00 P. M. EST, June 21, 2010, in electronic form.
It should be sent to my email address: rstanley@ece.wpi.edu. Exams received after the
deadline will not be accepted. You must include the following Honor Code statement
and send the exam from your own email address for the examination to be graded:
I have neither given nor received any assistance in the completion of this
examination, and I have spent no more than three hours total in completing it.
1. (10 points) The minimum key length for the AES algorithm is 128 bits. Assume that a
special purpose hardware key-search machine can test one key in 10 nanoseconds on one
processor. The processors can be parallelized. Assume further that one such processor
costs $10, including overhead. We assume that Moore’s law holds, according to which
processor performance doubles every 18/2 months.
(a) How long do we have to wait until an AES key search machine can be built which
breaks the algorithm on average in one week and which doesn’t cost more than $1
million?
(b) Now instead of a wealthy individual, consider a government that is capable of
building a massively parallel machine costing hundreds to billions of dollars. For
instance, the Earth Simulator has a speed of 40 Teraflops (= 40 * 10^12 floating point
operations per second). Assume a Rinjndael encryption may be realized in software
running on this machine using 100 floating-point operations. Also assuming the
supercomputer is updated every 18 months to double in speed, how long do we have
to wait until the Earth Simulator will be capable to find a Rinjdael key in less than a
week?
2. (10 points)
(a) How many pieces of plaintext and ciphertext are required for breaking a block
cipher in ECB mode with k key bits. Assume that the block length is much longer
than the key length.
(b) Let’s assume now that we do not know the vector IV of the block cipher used in
CBC mode. Describe how many pieces of (i) plaintext and (ii) ciphertext are
required in order to break a CBC cipher by an exhaustive key search. How many
search steps are required in a worst-case scenario.
(c) Is breaking a block cipher in CBC mode by means of an exhaustive key search
considerably more difficult than breaking the same block cipher in ECB mode?
Why is the CBC mode often preferred over the ECB mode?
3. (15 points) We consider an LFSR-based stream cipher. The linear feedback shift
register is characterized by the polynomial 1 + x3 + x4 and the initial vector (z0 =
1;0;0;0).
(a)
(b)
(c)
(d)
(e)
What are the feedback coefficients c0;c1;c2;c3?
Draw the block diagram of the LFSR.
Is this a maximum length LFSR?
Encode the following binary message: 100111001100
What is the maximum message length that should be encoded with this stream
cipher?
4. (15 points) As a key exchange protocol, a strong Diffie-Hellman with, e.g., 2048-bit
modulus is being used. However, since your company also wants to export the system, as
an encryption algorithm, only DES is allowed. You decide to use a key derivation
approach described by the following equation:
Ki = H(Kab | i)
Here Kab is the long key (2048-bit) derived using the Diffie-Hellman protocol, H is a
hash function that produces a fixed length short hash and i is a 16-bit integer indexing the
key. The secret key encryption session key Ki is renewed by recomputing the hash after
incrementing i.
(a) First we have to determine whether the attacker can store an entire movie with
reasonable efforts. Assume that the data rate for the TV link is 1 Mbit/s and that the
longest movies we want are 2 hours long. How many Gbytes (where 1M = 106 and
1G = 109) of data must be stored for a 2-hour movie. Is this realistic?
(b) We assume that an attacker will be able to find a DES key in 10 minutes using a
brute-force attack. How frequently must a key be derived if the goal is to prevent an
off-line decryption of a 2-hour movie in less than 30 days?
5. (15 points) The fundamental arithmetic operation that underlies many public-key
schemes is modular multiplication. The efficiency of modular multiplication is
determinant to the performance of the entire scheme. Modular multiplication can be
performed in two steps: ordinary integer multiplication, reduction of the product using
the modulus. If ordinary integer division is used for reduction, the performance of
modular multiplication is unacceptably slow. With this in mind, researchers have
suggested using primes of special form as the modulus. There are two classes of primes
that were proposed:
p = 2^k – 1 (Mersenne primes)
p = 2^k +/- c with small c (e.g., c = 3, 5) (Pseudo-Mersenne primes)
(a) Can these special primes be used in the construction of RSA, El-Gamal, DiffieHellman Key exchange, or in elliptic-curve cryptosystems?
(b) Show how these special forms can be used to implement more efficient reduction.
Which form is more efficient?
(c) Find all Mersenne primes with k < 1000. How many are there? Remember for elliptic
curve cryptosystems practical bit-lengths are in the range of 160-250. Are there any
Mersenne primes in this range?
6. (15 points) For an elliptic curve E: y^2 = x^3 + ax + b (mod p) defined over GF(p)
using the elliptic curve group point addition formulae, show that if P, Q are elements of
E, then P + Q is an element of E. Prove this assertion for both P != Q and P = Q cases.
7. (10 points) Let p be a prime and let  be an integer that is not divisible by p. Let
h(x) = x (mod p)
.
Explain why h(x) is NOT a good cryptographic hash function.
8. (10 points) In this problem the complexity of the encryption process for elliptic curve
cryptosystems is investigated:
(a) Describe an adaptation of the square and multiply algorithm to the operation
Q = k  P, where k is an integer and P and Q are points on the curve. Provide a
pseudo code description.
(b) How many point additions and how many point doublings are required on average for
the operation Q = k  P assuming that k has log2(p) bits?
(c) How many point operations are required to encrypt the message pair (x1, x2) on
average? Addition and doubling count each as one group operation. Take only the
operations for computing c1 and c2 and y0 into account (the complexities for
computing y1, y2 are negligible.).
(d) Assume that k, p, x1 and x2 each have log2(p) = 160 bits and that each group
operation (addition or doubling) required 20 microseconds. What is the data
throughput of the encryption unit in bits/sec?