T-79.

4501 Cryptography and Data Security

Autumn 2008
Homework 3

Tutor : Joo Y. Cho

[email protected]

1st October 2008

 Before we start...

• The solutions will be posted at Noppa on Friday.

• In the mean time, I will post this slide on my personal website.
http://www.tcs.hut.fi/˜jcho/
• Note that the solutions at Noppa are more reliable.
Q1.
DESX was proposed by R.Rivest to protect DES against exhaustive
key search. DESX uses one 64-bit secret key W to perform pre- and
postwhitening of data and a 56-bit DES key K, and operates as
follows:

C = W ⊕ EK (P ⊕ W)

Originally two different keys were used for pre- and postwhitening,
but Kilian and Rogaway showed (Crypto ’96) that the same key can
be used for both. Show that a similar construction

C = EK (P ⊕ W)

without postwhitening is insecure, and can be broken using an attack

of complexity 256 .
A1.
Consider the decryption DK (C) = P ⊕ W.
• If the key guess is correct,
P0 ⊕ P1 = W ⊕ DK (C0 ) ⊕ W ⊕ DK (C1 ) = DK (C0 ) ⊕ DK (C1 ).
• If the key guess is incorrect, the probability that
P0 ⊕ P1 = DK (C0 ) ⊕ DK (C1 ) is negligible.
• For all 256 possible values of K, compute DK (C0 ) and DK (C1 ).
• If we are given a few other plaintext/ciphertext pairs, the key
guess can be verified further.
• Hence, we can find the key K in time 256 . Once K is found, we
can find W as W = Pi ⊕ DK (Ci ).
Q2.
Let f (x) = x4 + x3 + x2 + x + 1 be the feedback polynomial of an
LFSR.
1. What are the cycles (periods) of the sequences generated by this
LFSR?
2. Compute the values for the autocorrelation function for each
cycle.
A2-a. The LFSR with the connection polynomial
f (x) = x4 + x3 + x2 + x + 1 is pictured as

⊕O o ⊕O o ⊕O o
/ s3 / s2 / s1 / s0 / zi

where s3 , s2 , s1 and s0 are the states of the LFSR.

When the LFSR is clocked, each state is right-shifted and an output is
produced. If the next state are denoted as s03 , s02 , s01 and s00 , then
(s00 , s01 , s02 , s03 ) = (s1 , s2 , s3 , s3 ⊕ s2 ⊕ s1 ⊕ s0 ).

s3 s2 s1 s0 1 2 3 4 5
0000 0000 0000 0000 0000 0000
0001 1000 1100 0110 0011 0001
0010 1001 0100 1010 0101 0010
0111 1011 1101 1110 1111 0111
···
Theorem
If f (x) is irreducible over Z2 , then the period of the output sequence is
equal to the least positive integer N such that f (x) divides 1 + xN .
Note that N is a divisor of 2L − 1 where L is a degree of f (x).

Since x5 + 1 = (x4 + x3 + x2 + x + 1)(x + 1), the period N is 5.

Q2-b.
The autocorrelation function is defined as

1 X
N−1
C(t) = (2zi − 1) · (2zi+t − 1) for 0 ≤ t ≤ N − 1
N
i=0

where zi is an output of the LFSR.

• For the all zero cycle, autocorrelation function is always
N
C(t) = N = 1, for 0 ≤ t ≤ N − 1, where N = 1.
• Now we consider (s3 s2 s1 s0 ) = (0001). Then N = 5 and
(z0 , z1 , z2 , z3 , z4 , z5 , z6 , · · · ) = (1, 0, 0, 0, 1, 1, 0, · · · ).
t zt zt+1 zt+2 zt+3 zt+4 zt+5 zt+6 zt+7
0 1 0 0 0 1 1 0 0
1 0 0 0 1 1 0 0 0
2 0 0 1 1 0 0 0 1
3 0 1 1 0 0 0 1 0
4 1 1 0 0 0 1 1 0
Hence, we can calculate autocorrelation function for the cycle.
1
C(0) = · [(2 · 1 − 1)(2 · 1 − 1) + (2 · 0 − 1)(2 · 0 − 1) + (2 · 0 − 1)(2 · 0 − 1)
5
5
+(2 · 0 − 1)(2 · 0 − 1) + (2 · 1 − 1)(2 · 1 − 1)] = = 1
5
1
C(1) = · [(2 · 1 − 1)(2 · 0 − 1) + (2 · 0 − 1)(2 · 0 − 1) + (2 · 0 − 1)(2 · 0 − 1)
5
1
+(2 · 0 − 1)(2 · 1 − 1) + (2 · 1 − 1)(2 · 1 − 1)] =
5
···

The results for the cycles with period N = 5 are presented in the following tables,
one table for each of the cycles from (a).

(10001) (01001) (11101)

t C(t) t C(t) t C(t)
0 1 0 1 0 1
1
1 5
1 − 53 1 1
5
···
2 − 53 2 1
5
2 1
5
3 − 53 3 1
5
3 1
5
1
4 5
4 − 53 4 1
5
Q3.
Consider a threshold generator (Lecture 6) with three LFSRs defined
by the connection polynomials and initial states:

f1 (x) = x2 + x + 1, initial state 01

f2 (x) = x3 + x + 1, initial state 001
f3 (x) = x3 + x2 + 1, initial state 001

Compute the first 30 bits of the output sequence of the threshold

generator. Is the output sequence balanced, that is, does it have about
equally many zeros and ones?
A3. f1 (x):
⊕O o

/ s1 / s1 / z1 = 1, 0, ...
1 0 i
f2 (x):
⊕O o

/ s2 / s2 / s2 / z2 = 1, 0, 0, ...
2 1 0 i
f3 (x):
⊕O o

/ s3 / s3 / s3 / z3 = 1, 0, 0, ...
2 1 0 i

z10 · · · z129 = 101101101101101101101101101101,

z20 · · · z229 = 100101110010111001011100101110,
z30 · · · z329 = 100111010011101001110100111010,
v0 · · · v29 = 100101110011101001111100101110.
Q4.
Let us consider the following two ways of specifying an 64-bit
initialisation vector IV for the counter mode of a 64-bit block cipher:
1. The IV is divided into two 32-bit counters, M-CTR and B-CTR.
For each new key we set M-CTR = 0. For each new message the
M-CTR is incremented by 1 and the B-CTR is set equal to 0.
2. For each new message a 64-bit random number R is generated
and the IV is set equal to R.
Estimate in both cases how many different messages can be encrypted
with the same key before the probability of having two equal IV
values is too big (at least 1/2).
A4-a.
1. For each new key, M-CTR=0.
2. For each new message, M-CTR = M-CTR + 1 (mod 232 ) and
B-CTR=0
3. Thus, after 232 messages with the same key, the IV values start to
repeat themselves.
A4-b.
1. IV = R = random() (mod 264 )
2. There are 264 different possibilities for R.
3. √
The Birthday Paradox states that after R is generated about
264 = 232 times, the probability for a collision is about 12 .
4. Thus, after 232 initialisations the probability for having two equal
IV values starts to get too big.
Q5.
Let us consider the CBC mode of operation. Suppose that a sequence
Pi , i = 1, 2, 3, ... of plaintext blocks have been encrypted. Then let us
suppose that two equal ciphertext blocks are detected, say Ck and C`
such that Ck = C` . What can one say about the corresponding
plaintexts Pk and P` ?
A5.

P1 P2 P3 PO 1 PO 2 PO 3
/² /² / ² /O /O /O
⊕ ⊕ ⊕ ⊕ ⊕ ⊕
² ² ²
EK EK EK EK−1 EK−1 EK−1
O O O
• • • •
² ² ²
C0 C1 C2 C3 C0 C1 C2 C3

Recall that in CBC-mode, a collision in ciphertext blocks Ck = Cl

gives us the following relation:

Ck = Cl ⇒ EK (Pk ⊕ Ck−1 ) = EK (Pl ⊕ Cl−1 )

⇒ Pk ⊕ Ck−1 = Pl ⊕ Cl−1
⇒ Pk ⊕ Pl = Ck−1 ⊕ Cl−1

So by XOR’ing the previous ciphertext blocks Ck−1 , Cl−1 the

difference of the plaintext blocks Pk ⊕ Pl can be obtained.
Q6.
Suppose that a block cipher is used in CBC mode. Let n denote the
block length. Using the result of the preceding problem, describe an
attack which reveals some information about the plaintext, and which
succeeds with probability 1/2 after about 2n/2 ciphertext blocks have
been decrypted.
A6.
• With a√block length of n, the Birthday Paradox states that after
n
about 2n = 2 2 blocks have been encrypted, the probability of
at least one ciphertext block collision is about 21 .
n
• So after 2 2 ciphertext blocks have been intercepted, the
encryption routine will start leaking information about the
plaintext rather quickly (the difference of the plaintext blocks
Pk ⊕ Pl ).
• While this won’t directly lead to the recovery of the key, it can
aid in the recovery of plaintext.