Selected Topics in Cryptography

Solved Exam Problems

Enes Pasalic
University of Primorska
Koper, 2013

Contents
1 Preface

2 Exam Problems

Preface

The following pages contain solutions to core problems from exams in Cryptography given at
the Faculty of Mathematics, Natural Sciences and Information Technologies at the University of
Primorska.

Enes Pasalic
enes.pasalic@upr.si

Exam Problems

Problem 0
You have found an old ciphertext, where you know that the plaintext discusses cryptographic
methods. You suspect that a Vigenere cipher has been used and therefore look for repeated
strings in the ciphertext.
You find that the string TICRMQUIRTJR occurs twice in the ciphertext. The first occurrence
starts at character position 10 in the text and the second at character position 241 (we start
counting from 1).
You make the inspired guess that this ciphertext sequence is the encryption of the plaintext
word cryptography. If this guess is correct, what is the key ?
Hint : Analyze the possible periods.
Solution To estimate the period we use the Kasiski test. The distance between the two occurrences given is
241 10 = 231 = 3 7 11
positions.
Possible periods are thus 3, 7 and 11. If the guess is correct, we can immediately find the
corresponding shifts: at position 10 the shift is
T c = 19 2 = 17 = r
. Similar computations for the other positions gives the shift keys
rrectcorrect
We now see that this is not periodic with periods 3 or 11, while period 7 is possible. The keyword
of length 7 starts at position 15; hence the keyword is
correct.

Problem 1
Alice wants to encrypt some sequence of independent decimal digits and send to Bob. Let
EK denote the encryption function operating on decimal digits. A sequence of decimal digits
M1 , M2 , . . . , Mn Z10 is encrypted to a sequence of ciphertext symbols C1 , C2 , . . . , Cn , Ci Z10
by
Ci = EK (Mi ), i, 1 i n.
a) Determine which of the following mappings that are possible encryption functions: EK (M ) =
M, EK (M ) = K, EK (M ) = M + K, EK (M ) = M K, EK (M ) = M K+1 , if M, K Z10 , and all
operations above are performed (mod 10).

b) Determine the unicity distance if the cipher is a simple substitution cipher and
P (M = 0) = P (M = 1) = 4 P (M = 2),
together with
P (M = 2) = P (M = 3) = = P (M = 8) = P (M = 9).
Hint: The entropy of language, denoted by HL in the textbook, is here the entropy per definition
of plaintext (message) digits.

Solution
a) An encryption function must be bijective (invertible) for all fixed keys K. Clearly, EK (M ) = M
and EK (M ) = M + K are bijective. The others are not bijective for all K.
b) Unicity distance (pg. 63) is defined as n0 =
61) RL = 1

Hl
log2 |P| .

log2 |K|
RL log2 |P|

log2 |K|
log2 |P|HL

using definition (pg.

From the conditions we also get:

1
1
P (M = 0) = P (M = 1) = 4 P (M = i), i [2, 9] P (M = 0) = ; P (M = 2) = .
4
16
log2 |K| = H(K) = log2 (10!)
log2 |P| = H(P ) = log2 (10)
1
1
1
1
HL = H(M ) = 2 log2 8 log2
= 3 (indicated by hint)
4
4
16
16
So n0 =

log2 (10!)
log2 (10)3

= 67.8 68.

Problem 2
In the textbook the four basic modes of operations of block ciphers (ECB, CBC, OFB, CFB)
are analyzed with respect to error propagation in encryption. That is, the consequences on ciphertext blocks by changing a single plaintext block are discussed.
a) For all four modes of operation analyze the effect on the decryption of remaining blocks if for
the sequence of ciphertext blocks c1 , c2 , . . . , cn some ciphertext block cj is errorness, 1 j < n.
That is, specify which of plaintext blocks xj , xj+1 , xj+2 , . . . , xn are recieved correctly.
b) One of the recommendations for a proper use of One-time pad (to ensure perfect secrecy)
is to never reuse the same key for encryption of two different messages. The simplest way to
implement One-time pad is to generate a random key sequence of the same length as message
and to encrypt using,
Ci = Mi + Ki (mod 26),
where Ki are random key characters and M = K = C =Z26 . Explain how only the knowledge of
two different ciphertext sequences C = C1 C2 Cn and C 0 = C10 C20 Cn0 , obtained by applying
5

the same secret key, can compromize the security of the system.

Solution
a) The four modes of operations are found on pages 8385. For simplicity assume the ciphertext block c1 (the notation in the book y1 ) is incorrect.
ECB mode: Only x1 decrypted incorrectly.
CBC mode: Only x1 , x2 decrypted incorrectly.
OFB mode: Only x1 decrypted incorrectly.
CFB mode: Only x1 , x2 decrypted incorrectly.
b) Given are:
Ci = Mi + Ki

(mod 26),

Ci0

(mod 26),

Mi0

+ Ki

Then (adding the two equations) Mi + Mi0 = Ci + Ci0 (mod 26) for i = 1, . . . , n. Either of the two
answers would suffice:
1. If we know Ci , Ci0 using message redundancy one can find Mi , Mi0 from known Mi + Mi0 .
2. Known plaintext attack: The knowledge of Mi implies Mi0 = Ci + Ci0 Mi (mod 26).

Problem 3
a) The so called S-box (Substitution box) is widely used cryptographic primitive in symmetrickey cryptosystems. In AES (Advanced Encryption Standard) the 16 S-boxes in each round are
identical. All these S-boxes implement the inverse function in the Galois Field GF(28 ), which can
also be seen as a mapping, S : {0, 1}8 {0, 1}8 , so that
S

x GF (28 ) 7 x1 GF (28 ),
that is 8 input bits are mapped to 8 output bits. What is the total number of possible mappings
one can specify for function S ?
Hint: Any function f : GF(2n ) GF(2n ) can be represented as a polynomial,
n 2

f (x) = a0 + a1 (x) + a2 x2 + + a2n 2 x2

n 1

+ a2n 1 x2

, ai GF(2n )

b) Construct the Galois field of 16 elements, GF(24 ), using a primitive polynomial f (x) = x4 +x+1.
Compute the powers xi , 0 i 14 and represent these powers (multiplcative group) as polynomials of the form a0 + a1 x + a2 x2 + a3 x3 .

c) Assume we want to implement an S-box using the Galois field from b). If we would like
that our S-box is bijective is it a good choice to use function S : GF (24 ) GF (24 ) specified by,
S

x GF (24 ) 7 x3 GF (24 ).
Motivate your answer !

Solution
a) The question is how many mappings are there over the field GF (2n ). Using the hint any
function f : GF(2n ) GF(2n ) can be represented as a polynomial,
n 2

f (x) = a0 + a1 (x) + a2 x2 + + a2n 2 x2

n 1

+ a2n 1 x2

, ai GF(2n )

Any ai can be chosen in 2n ways, the total number of mappings over GF (2n ) is,
2n times

z
}|
{
n
2n 2n 2n 2n = 2n2 .
b) In the textbook the field of 8 elements GF (23 ) is constructed. We use the primitive polynomial
x4 + x + 1:
xi
0

0000

x =1

0001

x =x

0010

0100

1000

(mod x + x + 1)

0011

x =x
x =x
4

x =x+1

a3 a2 a1 a0

x =xx =x +x
..
.

0110

x14 = x3 + 1
= x4 + x = 1

1001
0001

15

c) Note that the order of any element divides the order of the group. For any polynomial above
p(x)15 = 1. As our mapping is x3 and the order of multiplicative group is 15 it means that e.g.
1 7 13 = 1
x5 7 x15 = 1
x10 7 x30 = (x15 )2 = 1
Hence x3 is not bijective, the image space contains only 6 elements.

Problem 4
a) Factor the RSA number n = 3844384501 using the knowledge that
311776118522 1

(mod 3844384501).
7

b) Prove that the number 31803221 is not a prime number using the hint
231803212 27696377

(mod 31803221).

Motivate your answer.

Solution
a) We want to factor the RSA number n = 3844384501 using the knowledge that
31177611852 1

(mod 3844384501).

Note that: (3117761185 1) (3117761185 + 1) 0 (mod n), then:

p = gcd(3117761184, 3844384501) = 67801
q = p/n = 56701.
b) We want to prove that the number n = 31803221 is not a prime number using the hint
2n9 27696377 (mod 31803221). By the little Fermats theorem for any prime number p and
a Zp we have ap1 1 (mod p), remark ap1 not ap .
By testing: 2n9 28 27696377 256 29957450 6= 1 (mod 31803221). Hence, n is not a
prime number!

Problem 5
a) Given are two protocols in which the senders party performs the following operation:
Protocol A:
y = ek1 (x||H(k2 ||x)),
where x is the message, H is a hash function such as SHA-1, e is a symmetric-key encryption
algorithm, || denotes simple concatenation, and k1 , k2 are secret keys which are only known to
the sender and the receiver.
Protocol B:
y = ek (x||sigkpr (H(x))),
where k is a shared secret key, and kpr is a private key of the sender (not shared with the receiver).
Provide a step-by-step description (e.g., with an itemized list) of what the receiver does upon
reception of y.
b) State whether the following security services:
confidentiality
integrity

 non-repudiation (preventing an entity from denying previous commitments or actions)

is given for each of the two protocols given in the previous problem.

Solution
a) Protocol A performs the following:
1. Decryption of y using symmetric key k1
dk1 (y) = x||H(k2 ||x).
2. Concatenate k2 and x, where k2 is 2nd secret key (shared).
3. Compute hash of k2 ||x, that is H(k2 ||x).
4. Compare computed hash value with the one obtained in 1.
Protocol B performs the following:
1. Decrypt as in 1A, dk (y) = x||sigkp r (H(x)) using shared symmetric key k.
2. Compute H(x)
3. Feed H(x) and sigkp r (H(x)) into verification algorithm, check if signature on H(x) is valid.
Verification algorithm needs public key of the sender.
b) For protocol A we have:
confidentiality, YES through encryption
integrity, YES through hashing; changing y lead to invalid pair x0 and H(k2 ||x0 ).
non-repudiation, NO, both Alice (sender) and Bob (receiver) can generate valid message:
y = ek1 (x||H(k2 ||x)).
For protocol B we have:
confidentiality, YES through encryption
integrity, YES through signing; changing y lead to invalid pair x0 and sigkpr (H(x0 )).
non-repudiation, YES, only sender can send a message with valid signature.

Problem 6
We wish to encrypt a memoryless source with alphabet M = {0, 1, 2} and P (M = 0) =
1/2, P (M = 1) = p, P (M = 2) = 1/2 p, 0 p 1/2. Let the key K = (K0 , K1 , K2 ) be

chosen uniformly from the set of binary 3-tuples. A sequence of messages M1 , M2 , . . . , Mn is

encrypted to a sequence of ciphertexts C1 , C2 , . . . , Cn by,
Ci = Mi + Ki mod

(mod 3), i, 1 i n.

a) Find all values of p that give a unicity distance larger than 20.
b) Let p = 0. Propose a new cipher for this source that has an infinity unicity distance.

Solution
a) Unicity distance is defined as n0 =

log2 |K|
RL log2 |P|

log2 |K|
log2 |P|HL

using definition RL = 1

Hl
log2 |P| .

log2 |K| = H(K) = log2 8 = 3

log2 |P| = H(P ) = log2 3
1
1
1
1
HL = H(M ) = log2 p log2 p ( p) log2 ( p) =
2
2
2
2
1
1
= . . . = 1 + (2p log2 2p (1 2p) log2 (1 2p) = 1 + h(2p).
2
2
So
n0 =

3
=
log2 3 1 12 h(2p)
log2

3
2

3
> 20.
12 h(2p)

This gives h(2p) > 0.87. By trial method h(2p) = 0.87 has two solutions 2p = 0.291 and 2p = 0.709
(symmetric around 1/2). Thus 0.291 2p 0.709 so that 0.15 p 0.35.
b) When p = 0 there are only two plaintexts M = 0 and M = 2. Define,

0, if M = 0
(M ) =
1, if M = 2
Then Ci = (M ) + Ki mod

(mod 2) has infinite unicity distance.

Problem 7
Differential cryptanalysis is based on the so-called characteristics, that are essentially differences
in plaintext pairs that have a high probability of causing certain differences in ciphertext pairs.
a) Explain why the input differences to the first round of DES are chosen in specific form so
that (L, R) and (L , R ) differ only in few positions. In the second round characteristic R10 is
always chosen to be 0000000016 . Why ? Careful motivation is needed.
b) DESX was proposed by R. Rivest to protect DES against exhaustive key search. DESX
uses one 64-bit secret key W to perform pre- and postwhitening of data and a 56-bit DES key K,
and operates as follows,
C = W EK (P W ).
Show that a similar construction,
C = W EK (P )
10

without prewhitening is insecure and can be broken using an attack of complexity 256 .

Solution
The input pairs are chosen so that their difference is of low weight in order to keep the number of active S-boxes as low as possible. The idea is to have 0 as the input difference to seven
S-boxes, while the input to the remaining S-box is nonzero, chosen to maximize the probability
the input (L00 , R00 ) may cause in the output (distribution table).
Choosing R10 to be 0000000016 the 1-round characteristic has the maximum probability p = 1, see
the textbook.
b) Assume we have a small number of plaintext/ciphertext pairs (Pi , Ci ). Then for all 256 possible
values of K we can compute EK (P0 ) and EK (P1 ). For a correct guess we must have:
C0 C1 = W EK (P0 ) W EK (P1 ) = EK (P0 ) EK (P1 ).
However, if key is not correct then the probability that C0 C1 = EK (P0 ) EK (P1 ). is negligible
(one may test further with more (Pi , Ci ) pairs).
Finally, the key W is computed as W = Ci EK (P1 ). The complexity is approximately 256 operations.

Problem 8
a) For a fast encryption in RSA it is popular to use e = 3. Although RSA is considered to
be a secure public-key cryptosystem, the implementations of RSA can made encryption completely insecure.
Assume that M Z264 is a 64 bit plaintext that is encrypted using a 512 bit RSA modulus
n and encryption exponent e = 3. Explain why this is completely insecure.
Demonstrate this by finding the pliantext corresponding to the ciphertext C = 33076161 when
n = 100082119.
b) Suppose an active adversary wishes to decrypt a particular message c = me mod n intended
for A. Assume also that A will decrypt arbitrary ciphertext for adversary other than c itself.
Describe how the adversary can make A to reveal the plaintext message m corresponding to c.

Solution
a) Using 64 bit messages together with e = 3 there does not occur modular reduction for n
512 bit modulus. For given C we have P = C 1/3 = 321.
b) The adversary gives c = cxe to A for decryption, x 6= 1 is random element from Zn . A
computes m = cd (mod n) which equals to
m cd cd (xe )d mx

11

(mod n).

From this the adversary computes m = mx1 (mod n).

Problem 9
An RSA cryptosystem has open parameters n, e and trapdoor parameters d, p, q, (n), where
p, q are primes and ed 1 (mod (n)).
a) Determine how many numbers in {0, 1, . . . , (n)} that are possible values for e if p = 2p1 + 1
and q = 2q1 + 1 where p1 and q1 are primes.
b) The prime number theorem states that the number of primes not exceeding N is approximately N/ ln N . Thus the number of primes is relatively dense compared to nonprimes.
Therefore for generation of p and q we may adopt the following strategy: test the prime p with
some primality test and then choose q close to p with same primality tests. This ensures that
p and q are about the same size. Can you use this method to generate primes for RSA crypto
system ? Motivate your answer.
c) Prove that D(E(M )) = M for the case gcd(M, n) = 1.

Solution
a) ((n)) = ((p 1)(q 1)) = (4p1 q1 ) = 2(p1 1)(q1 1).
b) This is not a good
method because if p and q are close to each other then factoring N reduces to computing N and finding close prime integers.
c) See the lecture notes.

Problem 10
The following authenticated key agreement protocol is given:
1 : A B : g x mod p
2 : B A : g y mod p, Ek (SB (g y mod p, g x modp))
3 : A B : Ek (SA (g x mod p, g y mod p))
We assume that the parties have agreed on a (g, p) pair for Diffie-Hellman key exchange, that each
user has RSA keys for digital signatures and that they have agreed on a block cipher E for use
in subsequent encryption. Furthermore, k is the agreed secret key and SA and SB denotes A:s
and B:s signature operations, respectively. Describe in details (as a list) A:s and B:s actions at
receipt of messages 2 and 3 and what beliefs they have at that stage. Are A and B successfully
authenticated to each other after protocol run ?

Solution
12

We describe the actions and knowledge of the parties after all three messages. (a) After receiving X as message 1, B can choose a y and compute k = X y mod p as the session key. He then
computes Y = g y mod p, signs (Y ; X) and encrypts it using key k. At this stage, B has no reason
to believe that the received message was actually from A. (b) After receiving (Y ; c) as message 2,
A can compute k = Y x mod p. Then k is the agreed common key, so she can use this to decrypt
c, getting s. Finally, she verifies that s is B:s signature on (Y ; X). A can now conclude that the
sender of message 2 knows:
k, since he could encrypt using it.
B:s signing key, since could produce the signature s.
X and y, the discrete log of Y (since A successfully decrypted c using k = Y x , but anybody
else could only have computed k as X y ).
(Y ; X), since he signed it; this knowledge must be recent, since it includes X, which A
herself chose just before sending message 1.
From this evidence, A believes that the sender of message 2 is B and that therefore A and B
share k. (c) After receiving c0 as message 3, B decrypts it and verifies that the plaintext is A:s
signature on (X; Y ). From similar reasoning as above, B concludes that the sender of message 3
is A and that A and B share k.

Problem 11
We wish to encrypt a memoryless source with alphabet M = {0, 1, 2} and P (M = 0) =
1/2, P (M = 1) = p, P (M = 2) = 1/2 p, 0 p 1/2. Let the key K = (K0 , K1 , K2 ) be
chosen uniformly from the set of binary 3-tuples. A sequence of messages M1 , M2 , . . . , Mn is
encrypted to a sequence of ciphertexts C1 , C2 , . . . , Cn by,
Ci = Mi + Ki mod

(mod 3), i, 1 i n.

a) Find all values of p that give a unicity distance larger than 20.
b) Let p = 0. Propose a new cipher for this source that has an infinity unicity distance.

Solution
a) Unicity distance is defined as n0 =

log2 |K|
RL log2 |P|

log2 |K|
log2 |P|HL

using definition RL = 1

log2 |K| = H(K) = log2 8 = 3

log2 |P| = H(P ) = log2 3
1
1
1
1
HL = H(M ) = log2 p log2 p ( p) log2 ( p) =
2
2
2
2
1
1
= . . . = 1 + (2p log2 2p (1 2p) log2 (1 2p) = 1 + h(2p).
2
2
So
n0 =

3
=
log2 3 1 12 h(2p)
log2
13

3
2

3
> 20.
12 h(2p)

Hl
log2 |P| .

This gives h(2p) > 0.87. By trial method h(2p) = 0.87 has two solutions 2p = 0.291 and 2p = 0.709
(symmetric around 1/2). Thus 0.291 2p 0.709 so that 0.15 p 0.35.
b) When p = 0 there are only two plaintexts M = 0 and M = 2. Define,

0, if M = 0
(M ) =
1, if M = 2
Then Ci = (M ) + Ki mod

(mod 2) has infinite unicity distance.

Problem 12
Differential cryptanalysis is based on the so-called characteristics, that are essentially differences
in plaintext pairs that have a high probability of causing certain differences in ciphertext pairs.
a) Explain why the input differences to the first round of DES are chosen in specific form so
that (L, R) and (L , R ) differ only in few positions. In the second round characteristic R10 is
always chosen to be 0000000016 . Why ? Careful motivation is needed.
b) DESX was proposed by R. Rivest to protect DES against exhaustive key search. DESX
uses one 64-bit secret key W to perform pre- and postwhitening of data and a 56-bit DES key K,
and operates as follows,
C = W EK (P W ).
Show that a similar construction,
C = W EK (P )
without prewhitening is insecure and can be broken using an attack of complexity 256 .

Solution
The input pairs are chosen so that their difference is of low weight in order to keep the number of active S-boxes as low as possible. The idea is to have 0 as the input difference to seven
S-boxes, while the input to the remaining S-box is nonzero, chosen to maximize the probability
the input (L00 , R00 ) may cause in the output (distribution table).
Choosing R10 to be 0000000016 the 1-round characteristic has the maximum probability p = 1, see
the textbook.
b) Assume we have a small number of plaintext/ciphertext pairs (Pi , Ci ). Then for all 256 possible
values of K we can compute EK (P0 ) and EK (P1 ). For a correct guess we must have:
C0 C1 = W EK (P0 ) W EK (P1 ) = EK (P0 ) EK (P1 ).
However, if key is not correct then the probability that C0 C1 = EK (P0 ) EK (P1 ). is negligible
(one may test further with more (Pi , Ci ) pairs).
Finally, the key W is computed as W = Ci EK (P1 ). The complexity is approximately 256 operations.

Problem 13
14

a) For a fast encryption in RSA it is popular to use e = 3. Although RSA is considered to

be a secure public-key cryptosystem, the implementations of RSA can made encryption completely insecure.
Assume that M Z264 is a 64 bit plaintext that is encrypted using a 512 bit RSA modulus
n and encryption exponent e = 3. Explain why this is completely insecure.
Demonstrate this by finding the plaintext corresponding to the ciphertext C = 33076161 when
n = 100082119.
b) Suppose an active adversary wishes to decrypt a particular message c = me mod n intended
for A. Assume also that A will decrypt arbitrary ciphertext for adversary other than c itself.
Describe how the adversary can make A to reveal the plaintext message m corresponding to c.

Solution
a) Using 64 bit messages together with e = 3 there does not occur modular reduction for n
512 bit modulus. For given C we have P = C 1/3 = 321.
b) The adversary gives c = cxe to A for decryption, x 6= 1 is random element from Zn . A
computes m = cd (mod n) which equals to
m cd cd (xe )d mx

(mod n).

From this the adversary computes m = mx1 (mod n).

Problem 14
An RSA cryptosystem has open parameters n, e and trapdoor parameters d, p, q, (n), where
p, q are primes and ed 1 (mod (n)).
a) Determine how many numbers in {0, 1, . . . , (n)} that are possible values for e if p = 2p1 + 1
and q = 2q1 + 1 where p1 and q1 are primes.
b) The prime number theorem states that the number of primes not exceeding N is approximately N/ ln N . Thus the number of primes is relatively dense compared to nonprimes.
Therefore for generation of p and q we may adopt the following strategy: test the prime p with
some primality test and then choose q close to p with same primality tests. This ensures that
p and q are about the same size. Can you use this method to generate primes for RSA crypto
system ? Motivate your answer.
c) Prove that D(E(M )) = M for the case gcd(M, n) = 1.

Solution

15

a) ((n)) = ((p 1)(q 1)) = (4p1 q1 ) = 2(p1 1)(q1 1).

b) This is not a good
method because if p and q are close to each other then factoring N reduces to computing N and finding close prime integers.
c) See the textbook, page 124 (actually this problem is missprinted, the idea was to prove the
case gcd(M, n) 6= 1, thus you get 7 points just to find the proof in the book).

Problem 15
The following authenticated key agreement protocol is given:
1 : A B : g x mod p
2 : B A : g y mod p, Ek (SB (g y mod p, g x modp))
3 : A B : Ek (SA (g x mod p, g y mod p))
We assume that the parties have agreed on a (g, p) pair for Diffie-Hellman key exchange, that each
user has RSA keys for digital signatures and that they have agreed on a block cipher E for use
in subsequent encryption. Furthermore, k is the agreed secret key and SA and SB denotes A:s
and B:s signature operations, respectively. Describe in details (as a list) A:s and B:s actions at
receipt of messages 2 and 3 and what beliefs they have at that stage. Are A and B successfully
authenticated to each other after protocol run ? We describe the actions and knowledge of the
parties after all three messages.

Solution
(a) After receiving X = g x as message 1, B can choose a y and compute k = X y mod p as
the session key. He then computes Y = g y mod p, signs (Y ; X) and encrypts it using key k. At
this stage, B has no reason to believe that the received message was actually from A.
(b) After receiving (Y ; c) as message 2, A can compute k = Y x mod p. Then k is the agreed
common key, so she can use this to decrypt c, getting s. Finally, she verifies that s is B:s signature on (Y ; X). A can now conclude that the sender of message 2 knows:
k, since he could encrypt using it.
B:s signing key, since he could produce the signature s.
X and y, the discrete log of Y (since A successfully decrypted c using k = Y x , but anybody
else could only have computed k as X y ).
(Y ; X), since he signed it; this knowledge must be recent, since it includes X, which A
herself chose just before sending message 1.
From this evidence, A believes that the sender of message 2 is B and that therefore A and B share
k.

16

(c) After receiving c0 as message 3, B decrypts it and verifies that the plaintext is A:s signature on (X; Y ). From similar reasoning as above, B concludes that the sender of message 3 is A
and that A and B share k.

Problem 16
Let Ek (m), Dk (c) be a block cipher. Fischer Spiffy Mixer (FSM) mode encrypts a sequence
of message blocks m1 , m2 , . . . , by the sequence of ciphertext blocks c1 , c2 , . . . using the following
method:
ci = mi1 Ek (mi ci1 ), i 1
m0 and c0 are fixed (public) initialization vectors.
(a) Describe how decryption is performed.
(b) Suppose ciphertext block ci is damaged in transit. Which plaintext blocks become undecipherable as a result? Explain.

Solution
(a) XORing mi1 to both sides of the encryption equation gives
ci mi1 = Ek (mi ci1 ).
Applying the decryption function on both sides gives
Dk (ci mi1 ) = mi ci1 ,
so mi = ci1 Dk (ci mi1 ).
b) If ci was damaged then mi is damaged. If mi is damaged then mi+1 is damaged. From
then on all messages are damaged.

Problem 17
In the RSA cryptosystem encryption is performed using C M e (mod N ), where N = pq for
suitably chosen large primes p, q, and gcd(e, (N )) = 1. In a chaining attack on RSA, given a
ciphertext C M e (mod N ) the atacker computes,
Ce

(mod N ), C e

(mod N ), . . . , C e

(mod N ),

unless C C e (mod N ) is obtained. That is, k is the least positive integer that specifies the cycle.
k

(a) Explain why the attacker can always find k [1, N 1] so that C C e (mod N ).
Hint: Recall that RSA is an encryption algorithm and therefore bijective, i.e. M1 6= M2 cannot
be mapped to the same ciphertext.
(b) Can attacker recover the message M from the observed sequence above in case C C e
(mod N ) is valid ?
17

(c) Explain how the attacker can factor N by finding integer u such that gcd(C e , N ) > 1.
Hint: Analyze different cases w.r.t. (mod p) and (mod q) congruences.

Solution
(a) Since encryption is a permutation on the message space {0, 1, . . . , N 1} we have C1e 6 C2e
k
(mod N ) for C1 6= C2 . Thus there must exist a positive integer k such that C e C (mod N ).
Otherwise, assume that there is no k satisfying this for k {1, . . . , N 1}. Then it must be the
r
s
case that C e = C e C (mod N ) for some 1 r 6= s N 1. This means that the ciphertext
s1
r1
C is an encryption of two messages M e
and M e . Note that,
r1

C = (M e

s1

)e = (M e

)e

(mod N ).

)e = M e C

(mod N ),

(b) The attacker reveals the plaintext M as,

k

k1

C e = (C e
therefore C e

k1

M (mod N ).
u

(c) Assuming gcd(C e , N ) = f > 1 for some u > 0 we have the following situations:
If,
u
u
C e C (mod p) and C e
6 C (mod q)
then f = p.
If,

(mod p) and C e C

(mod p) and C e C

C e 6 C

(mod q)

then f = q. But if both,

Ce C

(mod q)
u1

then f = N . There is no factorization but C e C (mod N ) in this case, thus C e

(mod N ).

Problem 18
Let h : {0, 1} {0, 1}n be a hash function that is second-preimage and collision resistant.
Let h0 : {0, 1} {0, 1}n+1 be the hash function given by the rule

0||x
x {0, 1}n ,
0
h (x) =
1||h(x) otherwise.
Prove that h0 is not preimage resistant, but still second-preimage and collision resistant.

Solution
The modified hash function h0 is not preimage resistant, since for any hash value y of the form
0||x, a preimage is x.

18

Therefore, we can find a preimage for at least one half of all possible hash values.
Next we prove that h0 inherits second-preimage and collision resistance from h. We show that if
we can find a collision or a second preimage for h0 , then we can easily do so for h. Suppose
x0 6= x1 : h0 (x0 ) = h0 (x1 ).
Two cases:
1. First bit of h0 (x0 ) is 0. Impossible as implies x0 = x1 .
2. First bit of h0 (x0 ) is 1. Then h(x0 ) = h(x1 ) a contradiction, as h is collision resistant.

19

Problem 19
The S/Key protocol is a variation of a well-known Lamports one-time password protocol. The
idea is that a user U can efficiently derive a new password for each session, based on a master
password PU . The n one-time passwords are derived recursively by applying for instance hash
function f and the sequence of password is given as,
def.

f n (PU ) = f ( (f (PU )) )
| {z }
n

S/KEY PROTOCOL:

PREMISE : User U and Host H have setup U s initial password entry

(IDU , f n (PU ), n); f is a hash function, and U must memorize PU .
The current password entry of U in H is (IDU , f c (PU ), c),
for 1 c n.
GOAL: U authenticates to H without transmitting PU in cleartext.
1. U H : IDU
2. H U : c, Input Password: ;
3. U H : Q = f c1 (PU );
4. H finds entry (IDU , f c (PU ), c) in its database;
Access is granted if
f (Q) = f c (PU ),
and then U s password entry is updated to (IDU , Q, c 1)
Analyze the security of the protocol with an active man-in-the-middle adversary. The adversary is
capable of intercepting the messages and sending fraudulent messages to U and H. Can adversary
fool the protocol and gain the knowledge of the next session key ?

Solution
Malice (adversary) simply supplies the user with incorrect session value c.
U

Malice

IDU

IDU

c 1, Password

c, Password

f c2 (PU )

f c1 (PU )

20

Malice is in possession of f c2 (PU ) which he can use for logging-in in the name of U in the next
session.

Problem 20
This problem concerns generation of periodic sequences.
1. We consider the possibility of obtaining the periodic sequence {100011} , that is
101001011001
using the LFSR of minimum length. That is, start with L = 2 and increase the length by one
in case the sequence cannot be generated by this length. Specify the connection polynomial
of the shortest LFSR found in this way. Motivate your answer and ensure yourself that you
really get the desired sequence.
Solution The maximum period of LFSR of length 2 is 3 and therefore we may check the
length 3. The general appearance of such an LFSR is,

c2

c1
1

We have the following equations (using c3 = 1),

0 c1 + 0 c2 + 1 = 0

Thus, if c3 = 1 we get a contradiction immediately. Thus we need to check L = 4 (using

c4 = 1). Then,
0 c1 + 0 c2 + 0 c3 + 1 = 1
c1 = 1
c1 + c2 = 1
c1 + c2 + c3 = 0

The solution is c1 = 1, c2 = 0, c3 = 1 and the recurrence can be written as,

st+4 = st+3 + st+1 + st , t 1.
Using (s1 , s2 , s3 , s4 ) = (1, 0, 0, 0) we get s = 100011|100011 .

21

2. Assume that we have two maximum length sequences s1 and s2 generated by LFSRs of
respective length L1 and L2 , where L1 and L2 are relatively prime. What is the period of
the sequence s(t) = s1 (t) + s2 (t) ?
Solution The period is (2L1 1)(2L2 1 ). See the lecture notes regarding the linear complexity of sequences. A valid answer could also have been deduced through an example.

Problem 21
Alice and Bob use a block cipher for encryption and need to choose a mode of operation. Recall
the following two modes:
CBC mode: Here an n block plaintext M1 M2 . . . Mn is encrypted to an n block ciphertext
C1 C2 . . . Cn using,
Ci = EK (Mi Ci1 ), i 1,
where C0 = IV .
Counter mode. Here an n block plaintext M1 M2 . . . Mn is encrypted to an n block ciphertext
C1 C2 . . . Cn , where
Ki = EK (IV ||i)
Ci = Mi Ki , i 1.
An adversary is able to intercept and changes messages sent between Alice and Bob. Now consider
the following scenarios.
1. In some messages sent by Bob, it is the case that the last block is a randomly generated
secret key. Decide for the two modes whether the adversary can corrupt messages sent, so
that Alice receives a message that looks good after decryption, but contains the wrong key.
Solution For both modes it is the case that the adversary can replace the last ciphertext block with any other block. When Alice decrypts the message all previous blocks will
be unchanged and the message looks good; the last block will be corrupt, but since it is
random, there is no way for Alice to discover this. See the lecture notes and the lion cage
example.
2. In some messages sent by Bob, the adversary may know the first block M1 and want to
replace it by another block A1 of his choice, leaving the rest of the message unchanged.
Show that the adversary can achieve this if Counter mode is used. Do you think he can do
it with CBC mode (assume changing C0 = IV is allowed)?
Solution The adversary can achieve this if the encryption is in Counter mode. The encryption of the first block is C1 = M1 EK (IV ||1), from which he can compute EK (IV ||1) =
M1 C1 . He wants to replace C1 by
C10 = A1 EK (IV ||1)
22

and can easily compute C10 = A1 M1 C1 . The other blocks are not affected by this.
For CBC mode, we have M1 = DK (C1 ) C0 . The adversary cannot change C1 , since
that would affect Alices decryption of C2 . Instead, he must try to find C00 such that
A1 = DK (C1 ) C0 . Solving for C0 we get
C00 = A1 DK (C1 ) = A1 + M1 + C0 .
Thus, this is also possible in the CBC mode.

Problem 21
This questions only require YES or NO answer without any motivation.
1. (T/F)In theory, if the key is truly random, never reused, and kept secret DES and AES are
both provably secure against known plaintext attacks.
Solution FALSE, not provably secure but rather computationally secure.
2. (T/F) A Feistel cipher structure lets you use the same hardware or software for decryption
as for encryption.
Solution TRUE, just reverse the order of the subkeys.
3. (T/F) All block ciphers use S-boxes and permutation P-boxes.
Solution FALSE, IDEA does not have S and P boxes, though achieving confusion and
diffusion by other means.
4. (T/F) DiffieHellman key exchange is an asymmetric scheme that can be used for encryption
and signatures, but is not as efficient as RSA.
Solution FALSE, DH is only used for key exchange, see also the textbook.
5. (T/F) A hash function given by
h(m1 , m2 ) = me1 me2

(mod pq),

(where p, q are RSA primes and e has the inverse (mod (pq))) is a collision resistant
hash functions, that is it is computationally hard to find (m01 , m02 ) such that h(m1 , m2 ) =
h(m01 , m02 ).
Solution FALSE, e.g. one can take (m01 , m02 ) = (m2 , m1 ) and get a collision.

Problem 22
This problem treats the RSA public key cryptosystem.
1. Can a user of RSA choose the encryption exponent e to be even, e.g. e = 4.
Solution No, since then gcd(e, (N )) 6= 1 as 2|(N ) = (p 1)(q 1).

23

2. Let e and e0 be two different public keys such that e0 is derived from e by flipping one zero
to one (0 1) in the binary representation of e. Show that gcd(e, e0 ) = 1. Hint: Compare
the divisors of e and e0 .
Solution We know that e0 = e + 2i for some i. Any non-trivial divisor of e must be
odd, hence not a divisor of 2i . Therefore it cannot divide e0 and thus gcd(e, e0 ) = 1.

Problem 23
Alice wants to send an encrypted message to Bob using RSA, but doesnt know his public
key. So, she sends Bob an email asking for the key. Bob replies with his RSA public key
(e, N ). However, the active adversary intercepts the message and changes one bit in e from
0 to 1, so Alice receives an email claiming that Bobs public key is (e0 , N ), where e0 differs
from e in one bit. Alice encrypts m with this key and sends it to Bob. Of course, Bob cannot
decrypt, since the message was encrypted with the wrong key. So he resends his key and
asks Alice to send the encrypted message again, which she does. The adversary eavesdrops
to the whole communication without interfering further. Describe how he can now recover m.
0

Solution The adversary has eavesdropped and thus knows c = me and c0 = me . He

also knows that e and e0 and furthermore, gcd(e, e0 ) = 1. So the adversary can find integers
x and y such that
ex + e0 y = 1.
Hence,

cx c0y = mex+e y = m.

Problem 24
A DH-based key exchange protocol for wireless mobile networks was proposed by Park: The
system has a common prime modulus p and a generator g. Each party i has a long-term private
key xi Zp1 and a public key Xi = g xi (mod p). To establish a session key between a mobile
subscriber M and a base station B, the following protocol is executed (with all arithmetic in Zp ):
1. B M

: g xB +NB

2. M B : NM + xM
where NB and NM are one-time random nonces (once used random numbers). B calculates the
session key as
1 NB
KM B = (g xM +NM XM
)
and M calculates it as
1 NM
KM B = (g xB +NB XB
)

Then they complete the authentication with a challenge-response using this KM B .

1. Show that the Parks protocol is correct in the sense that B and M calculate the same KM B
value.
Solution We compute,
1 NB
1 NB
(g xM +NM XM
)
= (XM g NM XM
)
= g NM NB = KM B ,

24

and
1 NM
1 NM
(g xB +NB XB
)
= (XB g NB XB
)
= g NM NB = KM B .

2. Show that an attacker who has compromised a session key from a previous run, for which
(s)he has recorded the messages, can impersonate B. (Hint: Let the attacker replay Bs
message from the previous session.)
Solution If the attacker knows g NM NB = KM B used in the previous session (s)he can
send,
1. C(B) M

: g xB +NB = XB g NB

0
2. M C(B) : NM
+ xM
0 +x
0
The attacker knows NM +xm and NM
M so he can compute = NM NM by subtracting
N
N
two values. Also the knowledge of XB g B allows him to compute g B as XB is public (use
EEA to find the inverse of XB ). Now the two equations,
1 NB
)
KM B = (g xM +NM XM
0

0
xM +NM 1 NB
KM
XM )
B = (g

gives
0
NB
KM
= KM B (g NB ) .
B = KM B (g )
0
All the values are known so the attacker can efficiently compute KM
B . Now whatever is the
0
value of NM both parties will compute,
0

0
NM NB
KM
.
B =g

3. In fact this protocol can be broken without having any previous session keys compromised:
Show how the attacker can impersonate B by just knowing his public key.
Solution If the attacker only knows XB and XM the protocol is run as,
1. C(B) M

: g xB +NC = XB g NC

0
2. M C(B) : NM
+ xM

Now M computes,

KM C = g NM NC ,
but also the fake server (base station) can compute,
0

1 NC
(g xM +NM XM
)
0 ;X
where xM +NM
M and NC is known to the attacker. Obviously the same key is computed.

Problem 25

25

Consider the following cryptosystem:

K = {A, B}
P = {0, 1}
C = {a, b}
EB (0) = b

Pr(A) = 2/3 Pr(B) = 1/3

Pr(0) = 3/5 Pr(1) = 2/5
EA (0) = a
EA (1) = b
EB (1) = a

a) Compute Pr(a) and Pr(0|a).

Solution (a) Pr(a) = Pr(0) Pr(A) + Pr(1) Pr(B) =
Pr(0|a) =

8
15 .

Pr(0) Pr(a|0)
=
Pr(a)

Use the Bayes theorem to compute,

3
5

2
3

8
15

3
= .
4

b) Is this system a perfect cryptosystem ? If not, what probabilities you would change to make
it perfect ?
Solution This is not a cryptosystem with perfect secrecy. We need to change the key distribution. Due to Shannon for a cryptosystem with |K| = |C| = |P | we must have that
P r(A) = P r(B) = 1/2. In this case
P r(a) = 1/2(P r(0) + P r(1)) = 1/2 = P r(b).
Also,
Pr(0|a) =

Pr(0) Pr(a|0)
=
Pr(a)

3
5

1
2

1
2

3
= P r(0).
5

c) We wish to encrypt a memoryless source with alphabet Z3 = {0, 1, 2} and

P (M = 0) = 1/3; P (M = 1) = 1/3; P (M = 2) = 1/3;
Let the key K = (K0 , K1 , . . . , Kl1 ) be chosen uniformly from the set of ternary l tuples (Ki Z3 ).
A sequence of message symbols
M = (M0 , M1 , . . . , Mn1 ),
is encrypted to a sequence of cyphertext symbols
C = (C0 , C1 , . . . , Cn1 ),
using,
Ci = Mi + Ki mod l

(mod 3), i, 0 i n 1.

Prove or disprove the following statement (by computing the unicity distance).
For l = 64 the unicity distance n0 defined as,
n0 =

log2 |K|
log2 |K|
=
.
RL log2 |P|
log2 |P| HL

26

lies in the interval 700 < n0 < 800.

Solution Note that H(P) = log2 3 and for uniformly distributed messages we have,
HL = H(M) =

1
1
1
log2 3 + log2 3 + log2 3 = log2 3
3
3
3

and therefore n0 = . Means that we encrypt a random language and no extra information is
available to the attacker.
d) For what choices of l and n this cryptosystem has a perfect secrecy ?
Solution For any n l. This also comes from the fact that H(K) H(M ) for a cryptosystem
with perfect secrecy. Note that in general
H(K) = log2 3l
and
H(M ) = log2 3n .
Another, less formal way is to say that for a perfect secrecy we need the key length at least as the
message length (no repetition of key bits) and therefore n l.

Problem 26
a) We consider the possibility of obtaining the periodic sequence {111000} , that is
111000111000
using the LFSR of length 3. Specify the connection polynomial of LFSR of length 3 in case it is
possible to generate such a sequence with this length. Motivate your answer.
Solution We cannot get such a sequence since when the state of LFSR is 000 which is a part of
the sequence it will output only zeros.

b) Alice wants to encrypt a string of bits. She decides to encrypt using an LFSR as a generator
in a stream cipher. However, she knows that just using an LFSR is a bad choice, so she makes
a modification. She only uses every second bit of the LFSR sequence. The encryption process
would then be as follows. A sequence of bits m = m1 , m2 , . . . , mn is encrypted to a sequence of
ciphertext symbols c = c1 , c2 , . . . , cn by
ci = mi s0i , i, 1 i n
where s0i = s01 , s02 , . . . is obtained from the binary LFSR sequence s = s1 , s2 , . . . using s0i = s2i , i =
1, 2, . . .. Finally, s is generated by a length 4 LFSR with connection polynomial C(x) = 1 + x + x4 ,
with initial (secret) state (s1 , s2 , s3 , s4 ) (the LFSR outputs first s1 then s2 etc.)

27

Eve observed the ciphertext c = 0, 1, 1, 1, 1, 1, 0. Also, she knows that the plaintext starts as
1, 1, 1, 1, . . . , i.e.,
m = 1, 1, 1, 1, m5 , m6 , m7 .
Find the remaining plaintext bits.
Solution This is a routine exercise, given the LFSR and its connection polynomial. From the
assumption we know that the state bits of LFSR are
s2i = ci mi , f or 1 i 4.
That is,
s2 = 1, s4 = 0, s6 = 0, s8 = 0.
We note that the connection polynomial corresponds to the recursion,
si = si1 + si4 i 5
Hence, we have
s5 = s4 + s1
s6 = s5 + s2
s7 = s6 + s3
s8 = s7 + s4
This gives that s5 = s2 + s6 = 1 and therefore s1 = s4 + s5 = 1. Also, s7 = s4 + s8 = 0 which
gives s3 = s6 + s7 = 0. Thus the secret state is (s1 , s2 , s3 , s4 ) = (1, 1, 0, 0) and we can find all the
plaintext bits easily. To find m5 , m6 , m7 we need to find s10 , s12 , s14 . Using recursion we compute,
s9 = s8 + s5 = 1
s10 = s9 + s6 = 1
s11 = s10 + s7 = 1
s12 = s11 + s8 = 1
s13 = s12 + s9 = 0
s14 = s13 + s10 = 1
Thus, m5 = c5 + s10 = 1 + 1 = 0, m6 = c6 + s12 = 1 + 1 = 0, m7 = c7 + s14 = 0 + 1 = 1.

Problem 28
28

In class we discussed the method of index calculus for solving Discrete Log Problem. The idea
was to compute discrete logs (where basis corresponds to the group generator g) of some small
prime base B. Thus to solve X = g x for a given X we would compute logg b for all b B.
a) Given a prime number 83 check efficiently whether 2 is a generator of Z83 = {1, 2, . . . , 82}.
Use the fact that 28 7 (mod 83). Apply square and multiply method and show your computations !
Solution Here we use the fact that the order of an element divides the order of the group
(Lagrange, Fermat . . .). If 2 is a generator we must have
282 1

(mod 83)

2a 6 1

(mod 83)

and
for all a : a|(p 1). But p 1 = 2 41 and 41 is prime so we only need to test that
241 6 1

(mod 83).

Using the fact 28 7 (mod 83) we need to compute

2 28 232 = 2 7 74

(mod 83).

Easiest to check that 83 6 |(2 7 74 ) 1. Thus 2 is a generator.

b) Let B = {2, 3, 5, 7} (or you may choose other more suitable basis) and compute discrete
logs of the basis.
Solution Since one can freely choose the basis we may try B = {2, 7} and we can directly
compute log2 2 = 1 and from the above fact log2 7 = 8.
c) Let again B = {2, 3, 5, 7} (or other basis) and we need to compute 29 = 2x (mod 83). Compute
x = log2 29 using the result in b).
Solution Using the lecture notes (with similar problem) the solution is found quickly. Just a
few attempts of computing 29 2k gives for k = 4
29 24 49 = 72

(mod 83)

so we may write (applying log2 to the equation)

log2 29 + 4 log2 2 = 2 log2 7

(mod 82)

That is,
log2 29 = 2 log2 7 4 log2 2 = 2 8 4 = 12.

29

Problem 28
We first recall ElGamal encryption. The setting is Zp for a large prime p where p 1 has a
prime divisor q. Further, g is a generator for a subgroup of order q of Zp .
A community of users share parameters p, q and g. Typically, p is a 1024 bit number, while
q has only 160 bits. Each user has a private key x < q and a public key X = g x (mod p). To
encrypt a message m for this user, the sender chooses a random number y < q and encrypts the
message as
(c1 , c2 ) = (g y , m X y ) (mod p).
Because of the random choice of y for each message, different encryptions of the same message
will be different. However, there is another quantity involving only m and q that can be computed
from the ciphertext. This gives the basis for attacks on this textbook version of ElGamal.
a) Show how to compute mq given the encryption of m.
Solution Since the second part involves m we need to do something with c2 = m X y . If
we raise c2 to the power of q we have that
cq2 = (m (g x )y )q = mq (g q )xy = mq
since g q = 1 (g is a generator of a group of order q).
b) Given two messages m1 and m2 in Zp with mq1 = mq2 , can one conclude that m1 = m2 (motivate your answer)? Hint: The probability that a random element in Zp has order q is very small.
No. Given that mq1 = mq2 we have
q
(m1 m1
2 ) 1

(mod p)

that is (m1 m1
2 ) has order q. This does not mean that m1 and m2 are equal. However, for random
messages (using the hint), the probability of getting an element of order q in this way is quite
small. Therefore with high probability m1 = m2 !

Problem 29
The following protocol is used to authenticate the user A to server B. But not vice versa, i.e. we
assume that the identity of the server is checked by some means (e.g. certificate).
1. A B : A
2. B A : NB
3. A B : EKAB (NB )
a) The assumption is that the user and server shares the same encryption (symmetric) key KAB .
Explain why it is important that NB is not repeated. What kind of attack is applicable when the
same NB is reused ?
30

Solution: The numbers NB are called nonce (numbers used once). If the attacker observes
the usage of the same NB he simply resends previously observed EKAB (NB ) to the server and
identifies himself as A. This is known as replay attack.
b) If NB is 64-bit long and chosen randomly after how many such numbers you expect the repetition of NB with high probability ? Propose a simple measure to avoid the reusage of NB . Is it
practical ? Recall that B is a server and it might share many keys with many users.
Solution: Due to the birthday paradox after some 232 values the probability that the nonce
NB has already been used is 50%. The server can simply store all used nonces in a list and check
whether a new randomly generated nonce has already been used. This is not practical as saving
such data for many users requires a huge memory storage.
c) The protocol can be extended to mutually identify A and B. It works as,
1. A B : A, NA
2. B A : EKAB (A, NA , NB )
3. A B : EKAB (NB , NA )
The attacker knows all the details of the protocol implementation and is capable of observing
transmitted data. Assume now that encryption is performed using ECB mode of encryption, that
is each message block A, NA , NB is encrypted separately. Does this mode of encryption provides
a secure identification scheme. Motivate your answer.
Solution: Using the textbook the ECB mode implies a separate encryption of the message blocks.
For instance the message 2 is encrypted as three blocks EKAB (A), EKAB (NA ), EKAB (NB ). The
attacker sends the last two blocks of message 2 to the server and identifies himself as A.
d) To prevent from this attack instead of the ECB mode another mode is proposed,
Ci = EK (Mi ) + Ci1 i = 1, . . . , N,
where C0 = IV . This means that for instance in the second step of the protocol the encryption
of the message blocks A, NA , NB is done as,
C1 = EK (A) + IV
C2 = EK (NA ) + C1
C3 = EK (NB ) + C2

The same approach (mode usage) is applied in the third step of the protocol as well. Does this
modification give a secure protocol. Motivate your answer.
Solution: This gives no more security than the ECB mode. Note that in the 2nd step B sends
to A
C1 = EK (A) + IV, C2 = C1 + EK (NA ), C3 = C2 + EK (NB ).
31

The attacker can then easily compute

EK (NA ) = C1 + C2
and
EK (NB ) = C2 + C3
and use in the 3rd step to construct
C1 = IV + EK (NB )
and
C2 = C1 + EK (NA ).

Problem 30
We consider an LFSR of length n bits.
1. Explain why the generated key sequence cannot have a period longer than 2n 1 bits.
Solution An n bit LFSR has 2n possible states. Thus the period is at most 2n . However, the all zero state cannot appear in a maximal period sequence, since it would generate
an all zero output.

2. Explain why an LFSR that generates maximal period sequences must have an even number
of ones in its tap sequence (connection polynomial). (5 points) Hint: Consider the state
with all ones.
Solution If an LFSR has an odd number of taps and enters the state with all ones, then
the bit to be shifted in is the xor of an odd nummber of ones and hence one. So, the device
is stuck in this state.

3. The output sequence of an LFSR starts with 100000001. What is the minimal size of the
LFSR? Your answer should exhibit an LFSR of this size that does produce the given sequence and give a motivation why no shorter LFSR will do.
Solution The given sequence has 7 consecutive zeros. This means that an LFSR of size
seven or less would lead to an all-zero state after the first bit and then just produce zeros.
It is easy to construct an LFSR of size 8 that produces the given output: we put c8 = 1 and
choose arbitrary values for the other taps. With initial state 10000000, this will generate
the desired output.

32

Problem 31
This problem concerns the DES cipher and modes of usage.
1. One important property which makes DES secure is that the S-boxes are non-linear. In this
problem we are going to verify this property by computing the output of S1 for several pairs
of inputs. Show that S1 (x1 ) S1 (x2 ) 6= S1 (x1 x2 ), where denotes bitwise XOR, for:
x1 = 000000, x2 = 000001
x1 = 111111, x2 = 100000
Solution Using the S-box table we have
S1 (000000) = 14 = 0111; S1 (000001) = 4 = 0010;
S1 (000000) S1 (000001) = 0101.
S1 (x1 x2 ) = S1 (000001) = 0010 6= S1 (000000) S1 (000001) = 0101
Similarly for the second pair,
S1 (111111) = 13 = 1011; S1 (100000) = 0 = 0000;
S1 (111111) S1 (100000) = 1011.
S1 (x1 x2 ) = S1 (011111) = 0000 6= S1 (000000) S1 (000001) = 1011.

2. DESX was proposed by R. Rivest to protect DES against exhaustive key search. DESX
uses:
one 64-bit secret key W to perform pre- and postwhitening of data and
a 56-bit DES key K.
DESX operates as follows,
C = W EK (P W ).
Show how the decryption is done.
Solution
P = DK (C W ) W.
3. Show that a similar construction,
C = W EK (P )
without prewhitening is insecure and can be broken using an attack of complexity 256 .
Solution This problem was treated at the class exercises. Assumption :
A small number of plaintext/ciphertext pairs (Pi , Ci ) available.
33

Then for all 256 possible values of K we can compute EK (P0 ) and EK (P1 ).
For a correct guess we must have:
C0 C1 = W EK (P0 ) W EK (P1 ) =
EK (P0 ) EK (P1 ).
However, if key is not correct then the probability that C0 C1 = EK (P0 ) EK (P1 ) is
negligible (one may test further with more (Pi , Ci ) pairs). Hence, checking C0 C1 =
EK (P0 ) EK (P1 ) for all keys K we find the right key.
Finally, W is computed as W = Ci EK (Pi ). The complexity is approximately 256 operations for testing all keys K.

Problem 32
We consider the RSA encryption.
1. To illustrate the RSA system, we use primes p = 23 and q = 17. As public encryption key
we use e = 3. Compute the decryption key d. Show your computations !
Solution We have that n = 391 and (N ) = (p 1)(q 1) = 352. We compute d with the
extended Euclidean algorithm:
352 3 1 117 117
3 1 0 3
1
0
Thus d = 117 = 235.

2. Describe in detail how the ciphertext C = 165 is decrypted. You must show that you understand how the algorithm for efficient modular exponentiation works.
Solution To decrypt 165 means to compute 165235 (mod 391). We use the algorithm for
modular exponentiation:
i
i 2i 1652
0 1
165
1 2 1652

This table is continued until i = 7; the third column is computed by repeated squaring
modulo 391. Finally, one notices that 235 in binary form is 11101011, so the final result
is obtained by multiplying (modulo 235) the number in the third column in rows with
i = 0, 1, 3, 5, 6, 7.
3. Suppose Bob has an RSA Cryptosystem with a large modulus n for which the factor- ization
can not be found, e.g., n is 1024 bits long and Alice sends a message to Bob by representing
34

each alphabetic character as an integer between 0 and 25 (i.e., A 0, B 1, . . . Z 25)

and then encrypting each letter as a separate plaintext character.
Describe how Oscar can easily decrypt a message which is encrypted in this way.
Solution A message consists of, lets say, m pieces of ciphertext y0 , y1 , . . . , ym1 . However, the plaintext space is restricted to 26 possible values and the ciphertext space too.
That means we only have to test 26 possible plain-text letters for each cipher-text letter:
?

test : yi = j e

(mod n), j = 0, 1, . . . , 25.

Problem 33
This problem discusses a common problem related to the RSA cryptosystem.
1. Alice has decided to use RSA for encryption and has generated two large primes p and q and
computed N = pq. She has also chosen encryption key eA = 3 and computed her private
key dA .
When her friend Bob hears about this, he also wants to use RSA. Alice assists him by
choosing for him eB = 5 and computing dB , using the same N . Alice gives Bob his keys
(N, eB ) and dB .
The next day their common friend Charlie sends message m encrypted to both Alice and
Bob, using their respective encryption keys. However, the adversary Deborah eavesdrops
and gets hold of the two ciphertexts cA and cB . Deborah also notices that Alice and Bob
use the same N . Show how she can recover m. You may assume that gcd(m, N ) = 1.
Solution We have that cA = m3 (mod N ) and cB = m5 (mod N ). We note that 5
2 3 3 = 1, so Deborah computes
3
c2B (c1
A )

(mod N ) = m.

Note that c1
A can be computed using the extended Euclidean algorithm, since gcd(m, N ) =
1.

2. Does Deborahs attack generalize to other values of eA and eB than 3 and 5 ?

Solution As long as eA and eB satisfy gcd(eA , eB ) = 1, we know that there exist integers x and y with xeA + yeB = 1. Thus Deborah computes cxA cyB (mod N ) to recover m.
If gcd(eA , eB ) > 1 this does not work and there does not seem to be an easy attack for
Deborah.

Problem 34
We consider yet another published, flawed protocol for authentication and session key agreement,

35

the Neuman-Stubblebine protocol. It employs a trusted third party and runs as follows:
1. A B : A, NA
2. B T

: B, {A, NA , TB }KBT , NB

3. T A : {B, NA , KAB , TB }KAT , {A, KAB , TB }KBT , NB

4. A B : {A, KAB , TB }KBT , {NB }KAB
The protocol employs both timestamps and nonces. Some remarks:
Alice initiates the run in message 1, sending her name and a nonce NA to Bob.
Bob contacts the trusted third party Trent, forwarding Alices information and adding a
nonce NB of his own and a timestamp TB . Part of the message is encrypted with the key
KBT shared by Bob and Trent.
Trent generates a session key KAB to be used by Alice and Bob and sends to Alice a message
with two encrypted parts, one for Alice and one for Bob, and Bobs nonce in the clear. The
part encrypted for Bob, {A, KAB , TB }KBT , is called the ticket.
Alice checks her nonce and forwards the ticket to Bob, together with Bobs nonce encrypted
with the session key. This last piece convinces Bob both that the message is fresh and that
the sender is Alice.
However, the system is flawed. Assume that keys and nonces have the same sizes in bits. Show how
an adversary, eavesdropping on messages 1 and 2 of the initial protocol, may intercept and himself
send a valid message 4 to Bob, claiming to be Alice, and thus complete the initial protocol and
communicate with Bob using encryption with a session key that Bob believes he shares with Alice.
Solution The adversary eavesdrops and hears the two first messages. He then notices he can
construct a valid message 4, as follows:
He uses the encrypted part of message 2, i.e. {A, NA , TB }KBT , as the first part of his message. It has the correct structure, with A first and B:s timestamp TB last, and in the middle the
nonce NA playing the role of KAB .
To complete the message, he just needs to encrypt NB using NA as key (both these were sent
unencrypted in messages 1 and 2). The complete protocol run is:
1. A B : A, NA
2. B T

: B, {A, NA , TB }KBT , NB

3. T A : . . .
4. A B : {A, NA , TB }KBT , {NB }NA
The third message, from T to A, plays no role in the attack.

36