How many DES keys, on the average, encrypt a particular plaintext block to a particular ciphertext block?

Transcription

1 Homework 1. Come up with as efficient an encoding as you can to specify a completely general one-to-one mapping between 64-bit input values and 64-bit output values. 2. Token cards display a number that changes periodically, perhaps every minute. Each such device has a unique secret key. A human can prove possession of a particular such device by entering the displayed number into a computer system. The computer system knows the secret keys of each authorized device. How would you design such a device? 3. How many DES keys, on the average, encrypt a particular plaintext block to a particular ciphertext block? 4. Make an argument as to why the initial permutation of the bits of the DES key cannot have any security value. 5. Suppose the DES mangler function mapped every 32-bit value to zero, regardless of the value of its input. What function would DES then compute? 6.

2 Are all the 56 bits of the DES key used an equal number of times in the Ki? Specify, for each of the Ki, which bits are not used. 7. What would change in the DES description if keys were input as 56-bit quantities rather than 64-bit quantities? 8. Why is a DES weak key (see Weak and Semi-Weak Keys) its own inverse? Hint: DES encryption and decryption are the same once the per-round keys are generated. 9. Why is each DES semi-weak key the inverse of another semi-weak key? 10. Class project: design and implement an efficient DES breaking system. (Hint: Have your system take as input a <plaintext, ciphertext> pair and a starting key number, and searches from that starting key number for a DES key that will map the plaintext into that ciphertext.) Use your system to tell us what DES key mapped 0 to 5761b9ab9858b34b16. Free T-shirts to the first ten correct answers. 11. Show that DES encryption and decryption are identical except for the order of the 48-bit keys. Hint: running a round backwards is the same as running it forwards but with the halves swapped (see A DES Round), and DES has a swap after round 16 when run forwards (see DES Overview).

3 12. Verify the MixColumn result in Figure 3-25 by using the same method (in conjunction with Figure 3-28 s table) to compute InvMixColumn of the MixColumn result and checking that you produce the MixColumn input. 13. Describe in detail the optimization of the Rijndael inverse round mentioned at the end of Optimization. 14. Give an upper bound on the number of 258-octet states possible in RC Homework 1. What pseudo-random block stream is generated by 64-bit OFB with a weak DES key? 2. The pseudo-random stream of blocks generated by 64-bit OFB must eventually repeat (since at most 264 different blocks can be generated). Will K{IV} necessarily be the first block to be repeated? 3.

4 Let s assume you do DES double encryption by encrypting with K1 and doing DES in decrypt mode with K2. Does the same attack work as with double encryption with K1 and K2? If not, how could it be made to work? 4. What is a practical method for finding a triple of keys that maps a given plaintext to a given ciphertext using EDE? Hint: It is like the meet-in-the-middle attack of Encrypting Twice with Two Keys. 5. Let s assume that someone does triple encryption by using EEE with CBC on the inside. Suppose an attacker modifies bit x of ciphertext block n. How does this affect the decrypted plaintext? 6. Consider the following alternative method of encrypting a message. To encrypt a message, use the algorithm for doing a CBC decrypt. To decrypt a message, use the algorithm for doing a CBC encrypt. Would this work? What are the security implications of this, if any, as contrasted with the normal CBC? Homework 1. Doing a signature with RSA alone on a long message would be too slow (presumably using cipher block chaining). Suppose we could do division quickly. Would it be reasonable to compute an RSA signature on a long message by first finding what the message equals, mod n, and signing that?

5 2. Message digests are reasonably fast, but here s a much faster function to compute. Take your message, divide it into 128-bit chunks, and all the chunks together to get a 128-bit result. Do the standard message digest on the result. Is this a good message digest function? 3. In 5.1 Introduction we discuss the devious secretary Bob having an automatic means of generating many messages that Alice would sign, and many messages that Bob would like to send. By the birthday problem, by the time Bob has tried a total of 232 messages, he will probably have found two with the same message digest. The problem is, both may be of the same type, which would not do him any good. How many messages must Bob try before it is probable that he ll have messages with matching digests, and that the messages will be of opposite types? 4. In Hashing Large Messages, we described a hash algorithm in which a constant was successively encrypted with blocks of the message. We showed that you could find two messages with the same hash value in about 232 operations. So we suggested doubling the hash size by using the message twice, first in forward order to make up the first half of the hash, and then in reverse order for the second half of the hash. Assuming a 64-bit encryption block, how could you find two messages with the same hash value in about 232 iterations? Hint: consider blockwise palindromic messages. 5. Design a modification to MD2 to handle messages which are not an integral number of octets. Design it so that messages that are an integral number of octets have the same digest value as with the existing MD2. 6.

6 Why do MD4, MD5, and SHA-1 require padding of messages that are already a multiple of 512 bits? 7. Modify the specification of SHA-1 so that it looks a lot more like MD4 and MD5. Do this by having each of the words A, B, C, D, and E modified in place rather than (as SHA-1 specifies it) modifying A and then basically rotating the words. Alternatively, modify the specifications of MD4 and MD5 to make them look more like SHA-1. How would you choose which specification to base an implementation on in a particular underlying architecture? 8. Open-ended project: Implement one or more of the message digest algorithms and test how random the output appears. For example, test the percentage of 1 bits in the output, or test how many bits of output change with minor changes in the input. Also, design various simplifications of the message digest functions (such as reducing the number of rounds) and see how these change things. 9. What are the minimal and maximal amounts of padding that would be required in each of the message digest functions? 10. Assume,,, +, ~, and Homework all take about the same amount of time. Estimate the relative performance of MD2, MD4, MD5, and SHA Show that the checksum function in MD2 would not be a good message digest function by showing how to generate a message with a given checksum.

7 12. Assume a good 128-bit message digest function. Assume there is a particular value, d, for the message digest and you d like to find a message that has a message digest of d. Given that there are many more 2000-bit messages that map to a particular 128-bit message digest than 1000-bit messages, would you theoretically have to test fewer 2000-bit messages to find one that has a message digest of d than if you were to test 1000-bit messages? 13. Why do we expect that a randomly chosen 100-bit number will have about the same number of 1 bits and 0 bits? (For you statistics fans, calculate the mean and standard deviation of the number of 1 bits.) 14. For purposes of this exercise, we will define random as having all elements equally likely to be chosen. So a function that selects a 100-bit number will be random if every 100-bit number is equally likely to be chosen. Using this definition, if we look at the function + and we have two inputs, x and y, then the output will be random if at least one of x and y are random. For instance, y can always be 51, and yet the output will be random if x is random. For the following functions, find sufficient conditions for x, y, and z under which the output will be random: ~x x y x y x y

8 (x y) (~x z) [the selection function] (x y) (x z) (y z) [the majority function] x y z y (x z) 15. Prove that the function (x y) (x z) (y z) and the function (x y) (x z) (y z) are equivalent. (Sorry this isn t too relevant to cryptography, but we d stumbled on two different versions of this function in different documentation and we had to think about it for a bit to realize they were the same. We figured you should have the same fun.) 16. We mentioned in Computing a MAC with a Hash that using MD4(KAB m) as a MAC is not secure. This is not a problem if MD2 is used instead of MD4. Why is that the case? 17. In Generating a One-Time Pad, we generate a pseudo-random stream of MD-sized blocks. This stream must eventually repeat (since only 2MD-size different blocks can be generated). Will the first block necessarily be the first to be repeated? How does this compare to OFB (see Chapter 4 Modes of Operation Homework Problem 2)? 18. How do you decrypt the encryption specified in Mixing In the Plaintext?

9 19. Can you modify the encryption specified in Mixing In the Plaintext so that instead of bi = MD(KAB ci 1) we use bi = MD(KAB pi 1)? How do you decrypt it? Why wouldn t the modified scheme be as secure? (Hint: what would happen if the plaintext consisted of all zeroes?)