Homework

1.

Come up with as efficient an encoding as you can to specify a completely general one-to-one
mapping between 64-bit input values and 64-bit output values.

2.

Token cards display a number that changes periodically, perhaps every minute. Each such device
has a unique secret key. A human can prove possession of a particular such device by entering the
displayed number into a computer system. The computer system knows the secret keys of each
authorized device. How would you design such a device?

3.

How many DES keys, on the average, encrypt a particular plaintext block to a particular ciphertext
block?

4.

Make an argument as to why the initial permutation of the bits of the DES key cannot have any
security value.

5.

Suppose the DES mangler function mapped every 32-bit value to zero, regardless of the value of its
input. What function would DES then compute?

6.

Are all the 56 bits of the DES key used an equal number of times in the Ki? Specify, for each of the Ki,
which bits are not used.

7.

What would change in the DES description if keys were input as 56-bit quantities rather than 64-bit
quantities?

8.

Why is a DES weak key (see 3.3.6 Weak and Semi-Weak Keys) its own inverse? Hint: DES encryption
and decryption are the same once the per-round keys are generated.

9.

Why is each DES semi-weak key the inverse of another semi-weak key?

10.

Class project: design and implement an efficient DES breaking system. (Hint: Have your system take
as input a <plaintext, ciphertext> pair and a starting key number, and searches from that starting key
number for a DES key that will map the plaintext into that ciphertext.) Use your system to tell us
what DES key mapped 0 to 5761b9ab9858b34b16. Free T-shirts to the first ten correct answers.

11.

Show that DES encryption and decryption are identical except for the order of the 48-bit keys. Hint:
running a round backwards is the same as running it forwards but with the halves swapped (see
3.3.4 A DES Round), and DES has a swap after round 16 when run forwards (see 3.3.1 DES
Overview).

12.

Verify the MixColumn result in Figure 3-25 by using the same method (in conjunction with Figure 3-
28s table) to compute InvMixColumn of the MixColumn result and checking that you produce the
MixColumn input.

13.

Describe in detail the optimization of the Rijndael inverse round mentioned at the end of 3.5.6
Optimization.

14.

Give an upper bound on the number of 258-octet states possible in RC4.

----------------------------------------------------------------------------------------------------------------------

Homework
1.

What pseudo-random block stream is generated by 64-bit OFB with a weak DES key?

2.

The pseudo-random stream of blocks generated by 64-bit OFB must eventually repeat (since at most
264 different blocks can be generated). Will K{IV} necessarily be the first block to be repeated?

3.

Lets assume you do DES double encryption by encrypting with K1 and doing DES in decrypt mode
with K2. Does the same attack work as with double encryption with K1 and K2? If not, how could it
be made to work?

4.

What is a practical method for finding a triple of keys that maps a given plaintext to a given
ciphertext using EDE? Hint: It is like the meet-in-the-middle attack of 4.4.1.2 Encrypting Twice
with Two Keys.

5.

Lets assume that someone does triple encryption by using EEE with CBC on the inside. Suppose an
attacker modifies bit x of ciphertext block n. How does this affect the decrypted plaintext?

6.

Consider the following alternative method of encrypting a message. To encrypt a message, use the
algorithm for doing a CBC decrypt. To decrypt a message, use the algorithm for doing a CBC
encrypt. Would this work? What are the security implications of this, if any, as contrasted with the
normal CBC?

--------------------------------------------------------------------------------------------------------------

Homework
1.

Doing a signature with RSA alone on a long message would be too slow (presumably using cipher
block chaining). Suppose we could do division quickly. Would it be reasonable to compute an RSA
signature on a long message by first finding what the message equals, mod n, and signing that?

2.

Message digests are reasonably fast, but heres a much faster function to compute. Take your
message, divide it into 128-bit chunks, and all the chunks together to get a 128-bit result. Do
the standard message digest on the result. Is this a good message digest function?

3.

In 5.1 Introduction we discuss the devious secretary Bob having an automatic means of generating
many messages that Alice would sign, and many messages that Bob would like to send. By the
birthday problem, by the time Bob has tried a total of 232 messages, he will probably have found
two with the same message digest. The problem is, both may be of the same type, which would not
do him any good. How many messages must Bob try before it is probable that hell have messages
with matching digests, and that the messages will be of opposite types?

4.

In 5.2.4.2 Hashing Large Messages, we described a hash algorithm in which a constant was
successively encrypted with blocks of the message. We showed that you could find two messages
with the same hash value in about 232 operations. So we suggested doubling the hash size by using
the message twice, first in forward order to make up the first half of the hash, and then in reverse
order for the second half of the hash. Assuming a 64-bit encryption block, how could you find two
messages with the same hash value in about 232 iterations? Hint: consider blockwise palindromic
messages.

5.

Design a modification to MD2 to handle messages which are not an integral number of octets.
Design it so that messages that are an integral number of octets have the same digest value as with
the existing MD2.

6.

Why do MD4, MD5, and SHA-1 require padding of messages that are already a multiple of 512 bits?

7.

Modify the specification of SHA-1 so that it looks a lot more like MD4 and MD5. Do this by having
each of the words A, B, C, D, and E modified in place rather than (as SHA-1 specifies it) modifying A
and then basically rotating the words. Alternatively, modify the specifications of MD4 and MD5 to
make them look more like SHA-1. How would you choose which specification to base an
implementation on in a particular underlying architecture?

8.

Open-ended project: Implement one or more of the message digest algorithms and test how
random the output appears. For example, test the percentage of 1 bits in the output, or test how
many bits of output change with minor changes in the input. Also, design various simplifications of
the message digest functions (such as reducing the number of rounds) and see how these change
things.

9.

What are the minimal and maximal amounts of padding that would be required in each of the
message digest functions?

10.

Assume , , , +, ~, and Homework all take about the same amount of time. Estimate the relative
performance of MD2, MD4, MD5, and SHA-1.

11.

Show that the checksum function in MD2 would not be a good message digest function by showing
how to generate a message with a given checksum.

12.

Assume a good 128-bit message digest function. Assume there is a particular value, d, for the
message digest and youd like to find a message that has a message digest of d. Given that there
are many more 2000-bit messages that map to a particular 128-bit message digest than 1000-bit
messages, would you theoretically have to test fewer 2000-bit messages to find one that has a
message digest of d than if you were to test 1000-bit messages?

13.

Why do we expect that a randomly chosen 100-bit number will have about the same number of 1
bits and 0 bits? (For you statistics fans, calculate the mean and standard deviation of the number of
1 bits.)

14.

For purposes of this exercise, we will define random as having all elements equally likely to be
chosen. So a function that selects a 100-bit number will be random if every 100-bit number is equally
likely to be chosen. Using this definition, if we look at the function + and we have two inputs, x and
y, then the output will be random if at least one of x and y are random. For instance, y can always be
51, and yet the output will be random if x is random. For the following functions, find sufficient
conditions for x, y, and z under which the output will be random:

~x

xy

xy

xy

(xy)(~xz) [the selection function]

(xy)(xz)(yz) [the majority function]

xyz

y(xz)

15.

Prove that the function (xy)(xz)(yz) and the function (xy)(xz)(yz) are equivalent.
(Sorrythis isnt too relevant to cryptography, but wed stumbled on two different versions of this
function in different documentation and we had to think about it for a bit to realize they were the
same. We figured you should have the same fun.)

16.

We mentioned in 5.2.2 Computing a MAC with a Hash that using MD4(KAB|m) as a MAC is not
secure. This is not a problem if MD2 is used instead of MD4. Why is that the case?

17.

In 5.2.3.1 Generating a One-Time Pad, we generate a pseudo-random stream of MD-sized blocks.
This stream must eventually repeat (since only 2MD-size different blocks can be generated). Will the
first block necessarily be the first to be repeated? How does this compare to OFB (see Chapter 4
Modes of Operation Homework Problem 2)?

18.

How do you decrypt the encryption specified in 5.2.3.2 Mixing In the Plaintext?

19.

Can you modify the encryption specified in 5.2.3.2 Mixing In the Plaintext so that instead of bi =
MD(KAB|ci1) we use bi = MD(KAB|pi1)? How do you decrypt it? Why wouldnt the modified
scheme be as secure? (Hint: what would happen if the plaintext consisted of all zeroes?)