Cryptography 1 http://www.cs.ut.ee/~unruh/crypto1-11/ Exercise Sheet Cryptography 1, 2011 Exercise 1 DES The Data Encryption Standard (DES) is a very famous and widely used block cipher. It maps 64-bit plaintext blocks x = (x 63 x 62...x 0 ) on 64-bit ciphertext blocks y = (y 63 y 62...y 0 ) using a 56-bit secret key k = (k 55 k 54...k 0 ) as a parameter (see Figure 1). (x 63 x 62...x 0 ) 64 56 DES (k 55 k 54...k 0 ) 64 (y 63 y 62...y 0 ) Figure 1: DES, a mapping of 64-bit plaintext blocks on 64-bit ciphertext block, depending on a 56-bit secret key 1. When the secret key k is fixed, DES defines a specific permutation on X = {0,1} 64. Why do you think it is necessary for DES to be a bijection, and not a simple function? 2. How many permutations can you find on X = {0,1} 64? How many different secret keys does DES have? 3. DES internal design involves a 32-bit transformation which is represented in Figure 2. Is this transformation a permutation and/or a transposition? 1
Figure 2: A transformation in DES on 32-bit strings Consider now a random permutation on {0,1} l represented by a random variablec,uniformlydistributedamongallpossiblepermutationsof{0,1} l. 12. Compute Pr[C = c], where c is a fixed permutation on {0,1} l. 13. Let x,y {0,1} l be two fixed l-bit strings. Using the previous question, computepr[c (x) = y]. ComparethisprobabilitywithPr[Y = y] where Y is a random variable uniformly distributed in {0,1} l. 14. Let a,b {0,1} l such that a 0. We define the differential probability of C to be DP C (a,b) = Pr X [C (X a) = C (X) b], where the probability holds over the uniform distribution of X. For b 0, show that E C (DP C (a,b)) = 1 2 l 1. Exercise 2 Weak Keys of DES We say that a DES key k is weak if DES k is an involution. Exhibit four weak keys for DES. Reminder: Let S be a finite set and let f be a bijection from S to S. The function f is an involution if f(f(x)) = x for all x S. Exercise 3 Semi-Weak Keys of DES We say that a DES key k is semi-weak if it is not weak and if there exists a key k such that DES 1 k = DES k. Exhibit four semi-weak keys for DES. 2
Exercise 4 Complementation Property of DES Given a bitstring x we let x denote the bitwise complement, i.e., the bitstring obtained by flipping all bits of x. 1. Prove that for any x and K. DES K (x) = DES K (x) 2. Deduce a brute force attack against DES with average complexity of 2 54 DES encryptions. Hint: Assume that the adversary who is looking for K is given a plaintext block x and the two values corresponding to DES K (x) and DES K (x). Exercise 5 Exhaustive Search on 3DES We consider 3DES with three independent keys. Let P,C {0,1} 64 be k 1 k 2 k 3 P DES DES 1 DES C Figure 3: 3DES with three independent keys a plaintext/ciphertext pair, where C = 3DES k (P) for some unknown key k = (k 1,k 2,k 3 ) (see Figure 3). We want to recover k by an exhaustive search. 1. What is the number of DES encryptions/decryptions of the following algorithm Input: a plaintext/ciphertext couple (P, C) Output: key candidate(s) for k = (k 1,k 2,k 3 ) Processing: 1: for each possible key K = (K 1,K 2,K 3 ) do 2: if C = 3DES K (P) then 3: display K = (K 1,K 2,K 3 ) 4: end if 5: end for 2. Let C : {0,1} 64 {0,1} 64 denote a uniformly distributed random permutation. What is the probability that C (P) = C. 3
3. Assuming that 3DES K roughly behaves like C when K is a uniformly distributed random key, estimate the number of wrong keys (i.e., different from k) displayed by the Algorithm. 4. Assume that an adversary has t distinct plaintext/ciphertext pairs denoted (P i,c i ) for i = 1,...,t, all encrypted under the same (still unknown) key k (so that C i = 3DES k (P i )). Write an algorithm similar to the Algorithm that reduces the number of wrong keys that are displayed(butwhichdoesatleastdisplayk). Whatisthetotalnumber of DES encryptions/decryptions of this algorithm? 5. Express the average number of wrong keys that are displayed by your algorithm in function of t (which is the number of available plaintext/ciphertext couples). Evaluate the necessary number of couples in order to be almost sure that only the good key k = (k 1,k 2,k 3 ) is displayed. Exercise 6 3DES Exhaustive Search 1. What is the average complexity of an exhaustive search against the two-key 3DES? 2. How can an adversary take advantage of the complementation property DES K (x) = DES K (x)? What is the complexity now? Exercise 7 RSA with exponent 3 In this exercise we consider an RSA modulus n = pq where p and q are large prime numbers (here, by large we mean at least equal to 5). We consider a valid RSA exponent e for RSA. 1. Show that neither (p mod 3) nor (q mod 3) can be equal to 0. 2. Under which condition e is a valid exponent for a modulus n? 3. From now on, we will assume that e = 3. Show that neither p 1 nor q 1 can be multiples of 3. 4. Deduce that p mod 3 = q mod 3 = 2. 5. What is the value of n mod 3? 6. For any digits d 0,...,d l 1, show that ( l 1 ) d i 10 i mod 3 = ( l 1 i=0 i=0 ) (d i mod 3) mod 3 4
7. Show that e = 3 is not a valid RSA exponent for the following RSA modulus: n = 777575993 Exercise 8 Congruence Relations 1. Solve the following congruence relations (if possible): (a) 3x 2 mod 11 (b) 5x 11 mod 12 (c) 6x 8 mod 14 (d) 3x 2 mod 18 2. Simplify (without a calculator) (a) 2 23 mod 11 (b) 3 110 mod 53 (c) 4 18 mod 15 Exercise 9 Captain s Age 1. The aim of this exercise is to find the very secret age of the Captain. The only information we know is that one year ago, his age was a multiple of 3, in 2 years it will be a multiple of 5, and in 4 years it will be a multiple of 7. Deduce the Captain s age. Hint: Maybe the Captain is Chinese... 2. Solve the following system of congruence equations: 3x 4 mod 7 2x 10 mod 26 4x 12 mod 20 Exercise 10 Groups, Rings and Fields 1. Do the following form groups? If not, which of the properties do they fail? (a) The even integers under addition. (b) ( a b c d) : a,b,c,d R under matrix multiplication. (c) The real numbers under operator defined by a b = a+b+ab. (d) The set {2, 4, 6, 8} under multiplication modulo 10. 5
(e) Z under operator defined by a b = a+b+1. 2. List all the subgroups of the group {2,4,6,8,10,12} under multiplication modulo 14 and in each case give their order. 3. Find the inverses of: (a) 6 mod 19 (b) 3 mod 10 (c) 11 mod 16 (d) 14 mod 22 4. Do the following form Fields or Rings under normal addition and multiplication? (a) even integers (b) {a+bj} : a,b Z 6