Carleton University COMP4109 - Applied Cryptography, Fall 2013 Assignment 1

Due Friday, October 25 at 8:30 am You are welcome to collaborate with your classmates on the assignments. However, you must write up your solution yourself. Be sure to acknowledge your collaborators for each problem that you submit. Be sure to acknowledge any other resources you used for each problem, such as a book, paper or other resources. The assignment is due at the start of class on October 25. You can submit a hard-copy in class or electronically submit a PDF to cuLearn. Your submission should be typeset or written very neatly. The assignment has 4 problems and 40 possible marks.

1: PRGs [10 marks]

One of the oldest pseudorandom number generators is a multiplicative congruence generator. For public m N and secret a, b0 Zm , the sequence of random numbers is generated using the recurrence bi+1 = a bi mod m, for i 0. a) Show that the output of this PRNG is easily distinguished from a random sequence of numbers (modulo m). b) Show that if m is a prime number that this PRNG does not satisfy the next-bit test. That is, show that given some number of bits of the output stream you can determine the next bit with probability much greater than 1/2. Also show that it provides no forward security at all.

2: Hash Functions and MACs [10 marks]

a) Let f , g and h be hash functions that each map binary strings of length 2n to binary strings of length n. Suppose that h(x) = f (g (x)||g (x)). Prove that if f and g are collision resistant then h is also collision resistant. b) Let m = m1 ||m2 || ||m where each block mi is 128 bits long. Let M ACk (m) = ct , where c0 = 0, and ci = ci1 mi AESk (mi ) for i i t. Show that this MAC is either secure or insecure.

3: Bad Shues [10 marks]

Consider the following card shuing algorithm. There are three cards in the deck and they are each represented by a number in {0, 1, 2}. Algorithm Shuffle --------------------------------------------------deck := [0,1,2] for i from 0 to 2 do j := RANDOM(i) swap values of deck[i] and deck[j] end for return deck --------------------------------------------------For each of the following denitions of RANDOM(i), compute the probability distribution of all six valid hands, [0, 1, 2], [0, 2, 1], [1, 0, 2], etc., at the end of the algorithm. Show your work. a) RANDOM(k) returns an integer chosen uniformly at random from the set {0, 1, 2}. Here, any of the three possibilities are equally returned. b) RANDOM(k) returns an integer chosen uniformly at random from k to 2 (inclusive). Here, values less than k are not returned. c) RANDOM(k) returns an integer chosen uniformly at random from the set {0, 1, 2} \ {k }. Here, the value of k is never returned (so each swap must actually swap values). Briey comment about the results of the three algorithms.

4: Output Bias in RC4 [10 marks]

This problem involves a bias in the key-stream output of RC4. The key-scheduling algorithm and key-stream generator algorithm are given at the end of this assignment for reference. a) If the input to the key-stream generator satises (S[1] != 2) and (S[2] == 0), prove that the second key-stream byte that is output by the generator is 0. b) Estimate the probability that the second key-stream byte of RC4 is 0. State any assumptions that you make. (Your probability determination should be taken over all possible secret keys.) What does your result show? c) Suppose a 3-byte message m is encrypted with 1024 dierent RC4 secret keys and you are given all of the ciphertexts. How can you use your result of part b) in this situation? What can you learn about the plaintext? 2

RC4
RC4 Key-schedule algorithm (input: key) --------------------------------------------------for i from 0 to 255 do S[i] := i end for j := 0 for i from 0 to 255 do j := (j + S[i] + key[i % key.length]) % 256 swap values of S[i] and S[j] end for ---------------------------------------------------

RC4 Key-stream generator (input: S[0],...,S[255]) --------------------------------------------------i := 0 j := 0 while NeedMoreBytes do i := (i + 1) % 256 j := (j + S[i]) % 256 swap values of S[i] and S[j] K := S[(S[i] + S[j]) % 256] output K end while ---------------------------------------------------