4003-482-01/4005-705-01 Cryptography
Take-Home Quiz 2

Instructions
Required Reading
Questions
Grading

Record your answers to the questions below in a plain text file. Your plain text file must be named "<username>.txt", where <username> is the user name of your Computer Science Department account. I will not accept anything other than a plain text file.

Important: Unless otherwise specified, to receive full credit, the complete answer to every question must appear in your plain text file.

Show your work. If your answer is incorrect and you did not show your work, the question will get 0 points. If your answer is incorrect but you showed your work, the question might receive partial credit.

Send your plain text file to me by email at ark­@­cs.rit.edu. Include your full name in the email message, and include the plain text file as an attachment.

When I receive your email message, I will:

1. Verify whether the message includes your full name.
2. Verify whether I can read your plain text file.

The submission deadline is Tuesday, 09-Apr-2013, at 11:59pm. The date/time when your email message arrives in my inbox (not when you sent the message) will determine whether your project meets the deadline.

You may submit your quiz multiple times before the deadline. I will keep and grade only your most recent submission that arrived before the deadline. There is no penalty for multiple submissions.

If you submit your quiz before the deadline, but I do not accept it, and you cannot or do not submit it again before the deadline, the quiz will be late (see below). I strongly advise you to submit the quiz several days before the deadline, so there will be time to deal with any problems that might arise in the submission process.

Late quizzes: I will not accept a late quiz unless you arrange with me for an extension. See the Course Policies for my policy on extensions. Late quizzes will receive a grade of zero.

Plagiarism: The quiz must be entirely your own work. See the Course Policies for my policy on plagiarism.

• Understanding Cryptography, Chapters 4, 5.
  A free online version is available from the SpringerLink database via the RIT Wallace Library web site.

• Advanced Encryption Standard (AES). Federal Information Processing Standards Publication 197, November 26, 2001. http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

• Morris Dworkin. Recommendation for block cipher modes of operation: methods and techniques. NIST Special Publication 800-38A, December 2001. http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf

• Structural Attacks on Block Ciphers.

Questions 1-2. We are doing arithmetic in GF(2⁶) using the irreducible polynomial P(x) = x⁶ + x + 1. Let A(x) = x⁵ + x⁴ + x³, B(x) = x⁴ + x + 1.

Question 1 (4 points). Compute A(x) + B(x).

Question 2 (4 points). Compute A(x) ⋅ B(x).

Question 3 (4 points). What is the output of the first round of the AES algorithm when the 128-bit plaintext and the 128-bit key are (in hexadecimal):

Plaintext = B354 3888 C9F6 3D7A 220D 6BFB 8C2C FB65
Key       = FC1B 77C7 86B9 7235 6D42 24B4 C363 B42A

Question 4 (8 points). A certain 64-bit plaintext block was encrypted using the PRESENT block cipher with a key of FEDCBA98765432100123 hexadecimal. The ciphertext was D6C9FD715CA648FC hexadecimal. What was the plaintext in hexadecimal?

You may use the PRESENT block cipher implementation posted on the course web site to answer Question 4.

Questions 5-6. Suppose you encrypt a certain plaintext block using a block cipher with a certain key, yielding a certain ciphertext block. If you invert one bit of the plaintext and encrypt that with the same key, half of the ciphertext bits on the average should stay the same, and half of the ciphertext bits on the average should be inverted. This is called the avalanche effect.

You may use the PRESENT block cipher implementation posted on the course web site to answer Questions 5-6.

Question 5 (8 points). Pick an arbitrary 64-bit plaintext block and an arbitrary 80-bit key. Give a table with 65 rows. Each row contains three items. The first row consists of the original plaintext; the ciphertext computed by encrypting the original plaintext using the PRESENT block cipher with the chosen key; and the key itself. The second row consists of the plaintext formed by inverting the rightmost bit of the original plaintext; the corresponding ciphertext; and the number of bit positions in which that ciphertext differs from the original ciphertext. The third row consists of the plaintext formed by inverting the second-rightmost bit of the original plaintext; the corresponding ciphertext; and the number of bit positions in which that ciphertext differs from the original ciphertext. And so on. . . . The 65th row consists of the plaintext formed by inverting the leftmost bit of the original plaintext; the corresponding ciphertext; and the number of bit positions in which that ciphertext differs from the original ciphertext. The plaintexts, ciphertexts, and key are listed in hexadecimal.

Question 6 (4 points) Based on the data in Question 5, does the PRESENT block cipher exhibit the avalanche effect? Justify your answer.

Question 7 (4 points). Alice and Bob are using a block cipher in output feedback (OFB) mode to exchange encrypted messages. They are not using any integrity checking or authentication. Alice encrypts a message and sends it to Bob; however, the first block of ciphertext (and only the first block) is corrupted due to noise on the channel. When Bob decrypts the (corrupted) message, which plaintext block(s) will be correct and which plaintext block(s) will be incorrect? Explain your answer.

Question 8 (4 points). Repeat Question 7, except use cipher feedback (CFB) mode.

Questions 9-10. Consider the following S-box. The input bits, from most significant to least significant, are X1 X2 X3 X4. The output bits, from most significant to least significant, are Y1 Y2 Y3 Y4.

i:        0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F
Sbox[i]:  C  8  F  0  3  9  B  D  4  2  6  E  1  7  A  5

Question 9 (4 points). What is the bias of the linear approximation X1 + X2 = Y1 + Y4? Show how you derived your answer by listing, for each possible S-box input value, the quantities needed to determine the answer.

Question 10 (4 points). What is the probability of the differential (ΔX, ΔY) = (1010, 1010)? Show how you derived your answer by listing, for each possible S-box input value, the quantities needed to determine the answer.

Question 11 (2 points). A differential attack was performed on the PRESENT block cipher reduced to two rounds. The attack found the following round subkeys (in hexadecimal):

Round 0 subkey = A0486210BC1F58B4
Round 1 subkey = E0C934090C421783
Round 2 subkey = AD62DC1926812189

Give the full 80-bit key in hexadecimal that was input to the PRESENT key schedule.

The quiz is worth a total of 50 points as listed above for each question.

Important: Unless otherwise specified, to receive full credit, the complete answer to every question must appear in your plain text file. When grading your quiz, I will look only at your plain text file unless otherwise specified.

Show your work. If your answer is incorrect and you did not show your work, the question will get 0 points. If your answer is incorrect but you showed your work, the question might receive partial credit.

After grading your quiz I will put your grade and any comments I have in your encrypted grade file. For further information, see the Course Grading and Policies and the Encrypted Grades.

Cryptography • 4003-482-01/4005-705-01 • Spring Quarter 2013

Course Page

Alan Kaminsky • Department of Computer Science • Rochester Institute of Technology • 4486 + 2220 = 6706

Home Page

Copyright © 2013 Alan Kaminsky. All rights reserved. Last updated 30-Mar-2013. Please send comments to ark­@­cs.rit.edu.