CSCI 7000 - Cryptanalysis - Spring 2005

Problem Set #3

Due: Mar 10th, 2005 at 11am

Remember, your homework MUST be submitted in LaTeX!

Do not hand in homework electronically; print it out and bring it to class.

Problem 1. (Difficulty: 2)

Please implement the 4-round attack against Rijndael.

First, download the Rijndael source to your computer and unzip it and build it (for Unix, just run make; you might have to add the line CC=gcc if the cc compiler does not exist on your machine). Then download a program I wrote 4rnds.c and build it. For unix

  % gcc rijndael-alg-fst.o 4rnds.c
and your executable is a.out. If you examine the source to 4rnds.c, you'll see that I have the number of rounds (AES_ROUNDS) set to 4, and the key is set to all 0's. Run a.out and make sure you get the same output as what I got.

If you get something else, don't continue! You need to get this right before proceeding!

Ok, now here's your goal: I ran this same program, 4rnds.c, with a different key which I'm not telling you, but the same plaintexts (which happen to be very nice for the Square attack, as you can see from the source code). Under this secret key, I got 256 ciphertexts which you now will use to mount the attack.

The answer to this problem is the value of that secret key. This means you'll have to study the key schedule, but that's not too hard. Along with your answer, please provide the well-documented source code you used to crack this cipher.

As has been pointed out, you probably will get several candidate keys. You can narrow these down by trying each of them on the following plaintext/ciphertext pair (which uses the same secret key you are looking for). If there is still more than one candidate key which works, please hand in all that you found.

pt: 0102030405060708090a0b0c0d0e0f00
ct: 71fae486fafc990d4a44a21a7fac6b75

Problem 2. (Difficulty: 5)

Define blockcipher X as follows: X has a 128-bit blocksize and a 12800-bit key K. K is broken into 100 chunks of 128-bits each, K1 through K100. Round i of X goes like this: C0=P0 and on input Pi-1, compute Ci=S(Ci-1) xor Ki, where S() is the inversion of its input in GF(2128) (and 0 goes to 0 as usual). The output of the blockcipher is C100.

Break this thing. Use a chosen-plaintext attack (or a chosen-ciphertext attack if you please) and show that you can quickly distinguish this thing from random. Or better, show that you can decipher any given ciphertext block (which is equivalent to having the key, tho you won't be able to actually recover the full key here).

Problem 3. (Difficulty: 4)

We know how to build a cryptographic hash function from a block cipher using the MMO construction. And if we have such a hash function with an n-bit output, we can always obtain a new hash function with p bits in its output, p < n, simply by chopping off the last n-p bits. Here is your task:

Implement a hash function with a 60-bit output by using MMO with AES and chopping off the last 68 bits. Find a collision in this hash function. Notes:

You probably don't have to implement the full MMO hash function: there are more than enough one-block queries to generate a collision. As we know, we expect a collision after about 230 hash queries. That's not a lot for the NSA, but it's a lot for us. You'll have to be judicious in your use of memory and disk to store intermediate results. Think deeply about which data structures to use for this task. Also, be careful and don't overwhelm any CS machines with runaway code, infinite loops, infinite forking programs, etc. And using multiple gigs of disk on a CS machine will get you in trouble, I'll bet. Try to use your home PC (if you have one). There are ways to use less memory at the expense of using a little more CPU time as we saw in class. You MUST document your methods to get credit for this project. Simply handing in a pair of inputs which form a collision will not get many points. Proper documentation includes what choices you made and why you made them, along with source code used for this problem.