Cryptography Midterm Exam 2015/05/05

Part I (3 points each)

1. Which is the order of the multiplicative group 𝒁∗50 ?

A. 16 B. 20 C. 25 D. 40 E. None of the above

2. Which is a generator (primitive root) of the cyclic multiplicative group 𝒁∗50 ?

A. 3 B. 7 C. 9 D. 11 E. None of the above

3. How many monic irreducible polynomials of degree 2 over GF 5?

A. 5 B. 8 C. 10 D. 15 E. None of the above

4. Which mode of operation uses a block cipher as a building block to form an

asynchronous (or self-synchronizing) stream cipher?
A. CBC B. CTR C. CFB D. OFB E. None of the above

5. Which is NOT a finalist of the AES selection?

A. RC4 B. Rijndael C. Twofish D. Serpent E. None of the above

6. Which (k, nr) is legal for AES where nr is the number of rounds corresponding to
key length k bits? The last round is counted though MixColumn is missing.
A. (64, 9) B. (128, 10) C. (192, 11) D. (256, 12) E. None of the above

7. Which quotient ring is isomorphic to GF 81?

A. GF 3 [ x] / < x4 + x3 + x + 1> B. GF 3 [ x] / < x4 + 2x3 + 1 >
C. GF 3 [ x] / < x4 + x3 + x + 2> D. GF 3 [ x] / < x4 + 2x3 + 2 > E. None of the above

8. Which irreducible polynomial over GF 3 is primitive?

A. x4 + x3 + x2 + x + 1 B. x4 + x3 + 2x + 1
C. x4 + 2x3 + x2 + 2x + 1 D. x4 + x2 + 2 E. None of the above

9. Which relation does an operation D of the diffusion layer of AES always satisfy
for arbitrary inputs A and B? A. D(AB)  AB B. D(AB) = AB
C. D(AB) = D(A)D(B) D. D(AB)  D(A)D(B) E. None of the above

10. Which attack is applied so that the effective key length of 3-key triple DES is only
112 bits instead of 168 bits? A. Meet-in-the-Middle B. Man-in-the-Middle
C. Differential Attack D. Linear Attack E. None of the above
Part II (3 points each)

 Consider the multiplicative group G = Z31*.

 The order of 4 in G is 11 .
 The solution to the discrete logarithm 3x  4 (mod 31) is x = 12 .

 Euclidean Algorithm
 GCD(72593, 85907) = 13 .
 a = 14 and b = 15 is the pair of integers satisfying 47 a + 256 b = 1,
where a is the least positive one.

∗
 To show that 2 is a generator (primitive root) of the multiplicative group 𝒁181 , it
suffices to verify 2  1, 2  1, and 2  1, where 0 < u < v < w. We have (u, v, w)
u v w

= ( 16 , 17 , 90).

 The Galois field GF64 is unique up to isomorphism.

 GF64 consists of all roots of f (x) = 18 over GF2.
 GF64 can be represented by the quotient ring K = GF2 [x] / < x6 + g (x) >, where
g (x) = 19 is a polynomial of degree  2 over GF2.
 h (x) is a polynomial of degree  5 over GF2 satisfying the relation of cosets
[x 2015] = [h (x)] in K, then h (x) = 20 .

 A simple PRNG, Linear Congruential Generator, is generated by a recursive

formula Si +1 = A Si + B mod m, where A, B, and the seed S0 are kept secret.
Suppose m = 31, and the first three outputs S1 = 12, S2 = 6, and S3 = 21 are
obtained, then S4 = 21 and S5 = 22 . All the following output Si’s are
predictable, which is very bad for cryptographic applications.

 Consider an LFSR of degree 181 generated by a primitive polynomial (degree 181).

 The period of its output sequence is 23 .
 As soon as an attacker knows 24 consecutive output bits, the polynomial
can be constructed by merely solving a system of linear equations, hence the
output sequence of such an LFSR is predictable.
 The following reference code comes from the book “The Design of Rijndael”
written by J. Daemen and V. Rijmen:
typedef unsigned char word8;
word8 Logtable[256] = {
0, 0, 25, 1, 50, 2, 26,198, 75,199, 27,104, 51,238,223, 3,100, 4,224, 14,
52,141,129,239, 76,113, 8,200,248,105, 28,193,125,194, 29,181,249,185, 39,106,
77,228,166,114,154,201, 9,120,101, 47,138, 5, 33, 15,225, 36, 18,240,130, 69,
53,147,218,142,150,143,219,189, 54,208,206,148, 19, 92,210,241, 64, 70,131, 56,
102,221,253, 48,191, 6,139, 98,179, 37,226,152, 34,136,145, 16,126,110, 72,195,
163,182, 30, 66, 58,107, 40, 84,250,133, 61,186, 43,121, 10, 21,155,159, 94,202,
78,212,172,229,243,115,167, 87,175, 88,168, 80,244,234,214,116, 79,174,233,213,
231,230,173,232, 44,215,117,122,235, 22, 11,245, 89,203, 95,176,156,169, 81,160,
127, 12,246,111, 23,196, 73,236,216, 67, 31, 45,164,118,123,183,204,187, 62, 90,
251, 96,177,134, 59, 82,161,108,170, 85, 41,157,151,178,135,144, 97,190,220,252,
188,149,207,205, 55, 63, 91,209, 83, 57,132, 60, 65,162,109, 71, 20, 42,158, 93,
86,242,211,171, 68, 17,146,217, 35, 32, 46,137,180,124,184, 38,119,153,227,165,
103, 74,237,222,197, 49,254, 24, 13, 99,140,128,192,247,112, 7};

word8 Alogtable[256] = {
1, 3, 5, 15, 17, 51, 85,255, 26, 46,114,150,161,248, 19, 53, 95,225, 56, 72,
216,115,149,164,247, 2, 6, 10, 30, 34,102,170,229, 52, 92,228, 55, 89,235, 38,
106,190,217,112,144,171,230, 49, 83,245, 4, 12, 20, 60, 68,204, 79,209,104,184,
211,110,178,205, 76,212,103,169,224, 59, 77,215, 98,166,241, 8, 24, 40,120,136,
131,158,185,208,107,189,220,127,129,152,179,206, 73,219,118,154,181,196, 87,249,
16, 48, 80,240, 11, 29, 39,105,187,214, 97,163,254, 25, 43,125,135,146,173,236,
47,113,147,174,233, 32, 96,160,251, 22, 58, 78,210,109,183,194, 93,231, 50, 86,
250, 21, 63, 65,195, 94,226, 61, 71,201, 64,192, 91,237, 44,116,156,191,218,117,
159,186,213,100,172,239, 42,126,130,157,188,223,122,142,137,128,155,182,193, 88,
232, 35,101,175,234, 37,111,177,200, 67,197, 84,252, 31, 33, 99,165,244, 7, 9,
27, 45,119,153,176,203, 70,202, 69,207, 74,222,121,139,134,145,168,227, 62, 66,
198, 81,243, 14, 18, 54, 90,238, 41,123,141,140,143,138,133,148,167,242, 13, 23,
57, 75,221,124,132,151,162,253, 28, 36,108,180,199, 82,246, 1};

/* The tables Logtable and Alogtable are used to perform multiplications in GF(256)
word8 mul(word8 a, word8 b) {
if (a && b) return Alogtable[(Logtable[a] + Logtable[b])%255];
else return 0;
}

GF256 is constructed by m(x) = x8 + x4 + x3 + x + 1 in AES. The above tables (20 entries

in each row) are built by the primitive element x + 1 of GF 2 [ x] / < m(x) >  GF256.
 If x8 + p (x) is a primitive polynomial over GF2, then the degree-4 polynomial
p (x) = 25 . Hint: Use the above fact.
 Express the elements of GF256 in hexadecimal as AES does, then
‘57’  ‘6F’ = 26 , (‘6F’)1 = 27 (all in hexadecimal)
 Complete the subroutine computing the square of an arbitrary element in GF256:
word8 square(word8 a) {
if (a) return Alogtable[ 28 ];
else return 0;
}
 𝑦 = 𝑒𝑘1 (𝑥) = 17𝑥 + 3 (𝑚𝑜𝑑 26)
 Let { be two affine ciphers with the encryption
𝑦 = 𝑒𝑘2 (𝑥) = 9𝑥 + 1 (𝑚𝑜𝑑 26)
keys k1 = (17, 3) and k2 = (9, 1) respectively.
 The decryption function of 𝑒𝑘1 is 𝑥 = 𝑑(𝑦) = 𝑚𝑦 + 𝑛 (𝑚𝑜𝑑 26) with the key
(m, n) = 29 , where m, n  Z26.
 The composition 𝑦 = 𝑒𝑘2 (𝑒𝑘1 (𝑥)) = 𝑚′𝑥 + 𝑛′ (𝑚𝑜𝑑 26) is again an affine
cipher with the key (m, n) = 30 , where m, n  Z26. Therefore applying
affine ciphers twice will not increase the security.

Part III (Write down all details of your work)

31 (3 points) Suppose H is a subgroup of G, prove that two left cosets g1H = g2H
if and only if g11g2 H, where g1, g2 G.

32 (7 points) Mode of Operation: OFB (Output Feedback) Mode

(a) Describe the encryption and decryption of a message by a block cipher in
OFB mode. Drawing a figure is helpful.
(b) What is the advantage of OFB mode?
(c) Explain why the key stream generated by OFB mode must be periodic. What
is the maximal period length for AES in OFB mode? Express your answer in
the number of blocks.
(d) Explain the risk if two different messages are encrypted by the same key and
the same IV in OFB mode.
Cryptography Midterm Exam 2015/05/05
Name: __________ Department: ________ Student ID#: __________

1 2 3 4 5 6 7 8 9 10

11 12 13 14 15

16 17 18 19 20

21 22 23 24 25

26 27 28 29 30

31 & 32
Cryptography Midterm Exam 2015/05/05

Solution
1 2 3 4 5 6 7 8 9 10

B A C C A B D E C A
11 12 13 14 15

5 18 317 207 38

16 17 18 19 20

36 60 x64  x x+1 x5 + 1
21 22 23 24 25

30 23 2181  1 362 x4+ x3+ x2+ 1

26 27 28 29 30
Logtable[a]*2
22 3B %255 (23, 9) (23, 2)

2
A. o(3)=20, B. o(7)=4, C. o(9)=10, D. o(11)=10
8
A. o(x)=5, B. o(x)=20, C. o(x)=10, D. o(x)=16