Do not hand in homework electronically; print it out and bring it to class.

**Problem 1. (Difficulty: 2) **

Please implement the 4-round attack against Rijndael.

First, download the Rijndael source
to your computer and unzip it and build it (for Unix, just run `make`;
you might have to add the line `CC=gcc` if the cc compiler does not
exist on your machine).
Then download a program
I wrote 4rnds.c and build it. For unix

% gcc rijndael-alg-fst.o 4rnds.cand your executable is

If you get something else, don't continue! You need to get this right before proceeding!

Ok, now here's your goal: I ran this same program, `4rnds.c`, with a
**different** key which I'm not telling you, but the same plaintexts
(which happen to be very nice for the Square attack, as you can see from
the source code). Under this secret key, I got
256 ciphertexts which you now will use to mount the attack.

The answer to this problem is the value of that secret key. This means you'll have to study the key schedule, but that's not too hard. Along with your answer, please provide the well-documented source code you used to crack this cipher.

As has been pointed out, you probably will get **several** candidate
keys. You can narrow these down by trying each of them on the following
plaintext/ciphertext pair (which uses the same secret key you are looking
for). If there is still more than one candidate key which works, please
hand in all that you found.

pt: 0102030405060708090a0b0c0d0e0f00 ct: 71fae486fafc990d4a44a21a7fac6b75

** Problem 2. (Difficulty: 5) **

Define blockcipher X as follows: X has a 128-bit blocksize and
a 12800-bit key K. K is broken into 100 chunks of 128-bits each,
K_{1} through K_{100}.
Round i of X goes like this: C_{0}=P_{0} and
on input P_{i-1},
compute C_{i}=S(C_{i-1}) xor K_{i}, where S() is the
inversion of its input in GF(2^{128}) (and 0 goes to 0 as usual).
The output of the blockcipher is C_{100}.

Break this thing. Use a chosen-plaintext attack (or a chosen-ciphertext attack if you please) and show that you can quickly distinguish this thing from random. Or better, show that you can decipher any given ciphertext block (which is equivalent to having the key, tho you won't be able to actually recover the full key here).

** Problem 3. (Difficulty: 4) **

We know how to build a cryptographic hash function from a block cipher using the MMO construction. And if we have such a hash function with an n-bit output, we can always obtain a new hash function with p bits in its output, p < n, simply by chopping off the last n-p bits. Here is your task:

Implement a hash function with a 60-bit output by using MMO with AES and chopping off the last 68 bits. Find a collision in this hash function. Notes:

You probably don't have to implement the full MMO hash function:
there are more than enough one-block queries to generate a collision.
As we know, we expect a collision after about 2^{30} hash queries.
That's not a lot for the NSA, but it's a lot for us. You'll have
to be judicious in your use of memory and disk to store intermediate
results. Think deeply about which data structures to use for this
task. Also, be careful and don't overwhelm any CS machines with
runaway code, infinite loops, infinite forking programs, etc. And
using multiple gigs of disk on a CS machine will get you in trouble,
I'll bet. Try to use your home PC (if you have one). There are
ways to use less memory at the expense of using a little more CPU
time as we saw in class. You MUST document your methods to get
credit for this project. Simply handing in a pair of inputs which
form a collision will not get many points. Proper documentation
includes what choices you made and why you made them, along with
source code used for this problem.