Alan Kaminsky • Department of Computer Science • Rochester Institute of Technology • 4572 + 2433 = 7005
 Foundations of Cryptography • CSCI 662-01 • Spring Semester 2018
Course Page

## CSCI 662-01—Foundations of Cryptography Homework 4

Prof. Alan Kaminsky—Spring Semester 2018
Rochester Institute of Technology—Department of Computer Science

### Questions

Questions 1–3. The BadAes block cipher has the same block size (128 bits) as AES, the same key size (128 bits) as AES, the same state matrix as AES, and the same key schedule as AES. However, BadAes has only one round consisting of the following three steps, which are the same as in AES: AddRoundKey, SubBytes, ShiftRows. (Note: In AES, the first round subkey is the same as the original key.)

1. The BadAes block cipher is operated in Cipher Block Chaining (CBC) mode. In CBC mode, the plaintext is padded with a 1 bit followed by as many 0 bits as necessary to fill the final block. The plaintext 57ef694da00453fbd2fdd30970024a2a (hex) is encrypted with the key e0836da77383cf66e618b35beb95d2e7 (hex) and the IV 7c3bc1560468f68468b89fa148ccfd80 (hex). What is the ciphertext (hex)?

2. Repeat Question 1, except now the BadAes block cipher is operated in Output Feedback (OFB) mode.

3. An oracle for the BadAes block cipher (without any mode of operation) tells you that when the plaintext a8b1b013512bdd7d78f65c2483a533e1 is encrypted with a certain key, the ciphertext is 764b70e8cf18d7e0537a601ad131e8e4. What is the key?

Questions 4–5. Consider the following four-bit S-box. The input bits are labeled X1, X2, X3, X4. The output bits are labeled Y1, Y2, Y3, Y4.

```x     0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f
S[x]  5  7  e  d  9  3  c  1  0  a  f  8  6  b  2  4
```

4. What is the bias of the linear approximation X2 + X3 + Y1 + Y4 = 0? Show how you derived your answer by listing, for each possible S-box input value, the quantities needed to determine the answer.

5. What is the probability of the differential (ΔX, ΔY) = (1011, 1101)? Show how you derived your answer by listing, for each possible S-box input value, the quantities needed to determine the answer.

### Submission Requirements

Put your answers in a plain text file named "<username>.txt", replacing <username> with the user name from your Computer Science Department account. Send your plain text file to me by email at ark­@­cs.rit.edu. Include your full name and your computer account name in the email message, and include the plain text file as an attachment.

The submission deadline is Friday, March 9, 2018 at 11:59pm. The date/time at which your email message arrives in my inbox will determine whether your homework meets the deadline.

You may submit your homework multiple times up until the deadline. I will keep and grade only the most recent successful submission. There is no penalty for multiple submissions.

If you submit your homework before the deadline, but I do not accept it (e.g. a plain text file was not attached to your email), and you cannot or do not submit your homework again before the deadline, the homework will be late (see below). I STRONGLY advise you to submit the homework several days BEFORE the deadline, so there will be time to deal with any problems that might arise in the submission process.

Each homework question will be graded as follows, for a total of 10 points:
2 = Correct
1 = Partially correct
0 = Incorrect or missing