Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

7.7 Exercises

Consider the following DES-like encryption method. Start with a message of $2 n$ $2 n$ bits. Divide it into two blocks of length $n$ $n$ (a left half and a right half): $M_{0} M_{1}$ $M_{0} M_{1}$ . The key $K$ $K$ consists of $k$ $k$ bits, for some integer $k$ $k$ . There is a function $f (K, M)$ $f (K, M)$ that takes an input of $k$ $k$ bits and $n$ $n$ bits and gives an output of $n$ $n$ bits. One round of encryption starts with a pair $M_{j} M_{j + 1}$ $M_{j} M_{j + 1}$ . The output is the pair $M_{j + 1} M_{j + 2}$ $M_{j + 1} M_{j + 2}$ , where

$M_{j + 2} = M_{j} \oplus f (K, M_{j + 1}) .$ $M_{j + 2} = M_{j} \oplus f (K, M_{j + 1}) .$

( $\oplus$ $\oplus$ means XOR, which is addition mod 2 on each bit). This is done for $m$ $m$ rounds, so the ciphertext is $M_{m} M_{m + 1}$ $M_{m} M_{m + 1}$ .
1. If you have a machine that does the $m$ $m$ -round encryption just described, how would you use the same machine to decrypt the ciphertext $M_{m} M_{m + 1}$ $M_{m} M_{m + 1}$ (using the same key $K$ $K$ )? Prove that your decryption method works.
2. Suppose $K$ $K$ has $n$ $n$ bits and $f (K, M) = K \oplus M$ $f (K, M) = K \oplus M$ , and suppose the encryption process consists of $m = 2$ $m = 2$ rounds. If you know only a ciphertext, can you deduce the plaintext and the key? If you know a ciphertext and the corresponding plaintext, can you deduce the key? Justify your answers.
3. Suppose $K$ $K$ has $n$ $n$ bits and $f (K, M) = K \oplus M$ $f (K, M) = K \oplus M$ , and suppose the encryption process consists of $m = 3$ $m = 3$ rounds. Why is this system not secure?
Bud gets a budget 2-round Feistel system. It uses a 32-bit $L$ $L$ , a 32-bit $R$ $R$ , and a 32-bit key $K$ $K$ . The function is $f (R, K) = R \oplus K$ $f (R, K) = R \oplus K$ , with the same key for each round. Moreover, to avoid transmission errors, he always uses a 32-bit message $M$ $M$ and lets $L_{0} = R_{0} = M$ $L_{0} = R_{0} = M$ . Eve does not know Bud’s key, but she obtains the ciphertext for one of Bud’s encryptions. Describe how Eve can obtain the plaintext $M$ $M$ and the key $K$ $K$ .
As described in Section 7.6, a way of storing passwords on a computer is to use DES with the password as the key to encrypt a fixed plaintext (usually 000 . . . 0). The ciphertext is then stored in the file. When you log in, the procedure is repeated and the ciphertexts are compared. Why is this method more secure than the similar-sounding method of using the password as the plaintext and using a fixed key (for example, $000 \dots 0$ $000 \dots 0$ )?
Nelson produces budget encryption machines for people who cannot afford a full-scale version of DES. The encryption consists of one round of a Feistel system. The plaintext has 64 bits and is divided into a left half $L$ $L$ and a right half $R$ $R$ . The encryption uses a function $f (R)$ $f (R)$ that takes an input string of 32 bits and outputs a string of 32 bits. (There is no key; anyone naive enough to buy this system should not be trusted to choose a key.) The left half of the ciphertext is $C_{0} = R$ $C_{0} = R$ and the right half is $C_{1} = L \oplus f (R)$ $C_{1} = L \oplus f (R)$ . Suppose Alice uses one of these machines to encrypt and send a message to Bob. Bob has an identical machine. How does he use the machine to decrypt the ciphertext he receives? Show that this decryption works (do not quote results about Feistel systems; you are essentially justifying that a special case works).
1. Let $K = 111 \dots 111$ $K = 111 \dots 111$ be the DES key consisting of all 1s. Show that if $E_{K} (P) = C$ $E_{K} (P) = C$ , then $E_{K} (C) = P$ $E_{K} (C) = P$ , so encryption twice with this key returns the plaintext. (Hint: The round keys are sampled from $K$ $K$ . Decryption uses these keys in reverse order.)
2. Find another key with the same property as $K$ $K$ in part (a).
Alice uses quadruple DES encryption. To save time, she chooses two keys, $K_{1}$ $K_{1}$ and $K_{2}$ $K_{2}$ , and encrypts via $c = E_{K_{1}} (E_{K_{1}} (E_{K_{2}} (E_{K_{2}} (m))))$ $c = E_{K_{1}} (E_{K_{1}} (E_{K_{2}} (E_{K_{2}} (m))))$ . One day, Alice chooses $K_{1}$ $K_{1}$ to be the key of all 1s and $K_{2}$ $K_{2}$ to be the key of all 0s. Eve is planning to do a meet-in-the-middle attack, but after examining a few plaintext–ciphertext pairs, she decides that she does not need to carry out this attack. Why? (Hint: Look at Exercise 5.)
For a string of bits $S$ $S$ , let $\overline{S}$ $\overline{S}$ denote the complementary string obtained by changing all the 1s to 0s and all the 0s to 1s (equivalently, $\overline{S} = S \oplus 11111 \dots$ $\overline{S} = S \oplus 11111 \dots$ ). Show that if the DES key $K$ $K$ encrypts $P$ $P$ to $C$ $C$ , then $\overline{K}$ $\overline{K}$ encrypts $\overline{P}$ $\overline{P}$ to $\overline{C}$ $\overline{C}$ . (Hint: This has nothing to do with the structure of the S-boxes. To do the problem, just work through the encryption algorithm and show that the input to the S-boxes is the same for both encryptions. A key point is that the expansion of $\overline{C}$ $\overline{C}$ is the complementary string for the expansion of $C$ $C$ .)
Suppose we modify the Feistel setup as follows. Divide the plaintext into three equal blocks: $L_{0}$ $L_{0}$ , $M_{0}$ $M_{0}$ , $R_{0}$ $R_{0}$ . Let the key for the $i$ $i$ th round be $K_{i}$ $K_{i}$ and let $f$ $f$ be some function that produces the appropriate size output. The $i$ $i$ th round of encryption is given by

$L_{i} = R_{i - 1}, M_{i} = L_{i - 1}, R_{i} = f (K_{i}, R_{i - 1}) \oplus M_{i - 1} .$ $L_{i} = R_{i - 1}, M_{i} = L_{i - 1}, R_{i} = f (K_{i}, R_{i - 1}) \oplus M_{i - 1} .$

This continues for $n$ $n$ rounds. Consider the decryption algorithm that starts with the ciphertext $A_{n}, B_{n}, C_{n}$ $A_{n}, B_{n}, C_{n}$ and uses the algorithm

$A_{i - 1} = B_{i}, B_{i - 1} = f (K_{i}, A_{i}) \oplus C_{i}, C_{i - 1} = A_{i} .$ $A_{i - 1} = B_{i}, B_{i - 1} = f (K_{i}, A_{i}) \oplus C_{i}, C_{i - 1} = A_{i} .$

This continues for $n$ $n$ rounds, down to $A_{0}, B_{0}, C_{0}$ $A_{0}, B_{0}, C_{0}$ . Show that $A_{i} = L_{i}, B_{i} = M_{i}, C_{i} = R_{i}$ $A_{i} = L_{i}, B_{i} = M_{i}, C_{i} = R_{i}$ for all $i$ $i$ , so that the decryption algorithm returns the plaintext. (Remark: Note that the decryption algorithm is similar to the encryption algorithm, but cannot be implemented on the same machine as easily as in the case of the Feistel system.)
Suppose $E_{K} (M)$ $E_{K} (M)$ is the DES encryption of a message $M$ $M$ using the key $K$ $K$ . We showed in Exercise 7 that DES has the complementation property, namely that if $y = E_{K} (M)$ $y = E_{K} (M)$ then $\overline{y} = E_{\overline{K}} (\overline{M})$ $\overline{y} = E_{\overline{K}} (\overline{M})$ , where $\overline{M}$ $\overline{M}$ is the bit complement of $M$ $M$ . That is, the bitwise complement of the key and the plaintext result in the bitwise complement of the DES ciphertext. Explain how an adversary can use this property in a brute force, chosen plaintext attack to reduce the expected number of keys that would be tried from $2^{55}$ $2^{55}$ to $2^{54}$ $2^{54}$ . (Hint: Consider a chosen plaintext set of $(M_{1}, C_{1})$ $(M_{1}, C_{1})$ and $(\overline{M_{1}}, C_{2})$ $(\overline{M_{1}}, C_{2})$ ).

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for 7.7 Exercises

Create new playlist

Sign In

Sign Up

Table of Contents for
7.7 Exercises