### Problem Set #3

#### Due: Mar 20th, 2008 at 11am

1. Prove that a finite group of even order always has some element i different from the identity, where i is its own inverse.

2. Consider the finite field GF(16) with irreducible polynomial m(x) = x4 + x3 + 1. (You'll have to trust me that m(x) is irreducible over F2 here.) We will, as usual, represent group elements as either polynomials in x, or a hex number, or binary strings, with the usual mapping between these representations.
(a) What polynomial corresponds to the hex number 'a'?
(b) What is 'a' + '7' in this field?
(c) What is 'a' * '7' in this field?
(d) What is the additive inverse of 'e' in this field?
(e) What is the multiplicative inverse of 'e' in this field? (Try elements exhaustively using the xtime() method and show your work.)

3. Now consider the field GF(256) with m(x) as given in class (the same one used in AES, and in the AES spec). Working here will often be too hard, so let's write a program to do it for us.
(a) Write a python function that adds two members of this field (use the "def" command and put this into a library so you can import it later as needed).
(b) Write a python function for xtime.
(c) Write a python function that multiplies two field elements together. (Use the xtime function as a subroutine.)
(d) Write a python function that returns the inverse of any non-zero element of the field (use Euclid's extended algorithm here). This is by far the hardest of the steps above.

Make sure you verify your code is correct by doing the obvious kinds of checks. For example, if you get that b is the inverse of a, then verify that ab = '01'.

3. Please implement the 4-round attack against Rijndael.

First, download the Rijndael source to your computer and unzip it and build it (for Unix, just run make; you might have to add the line CC=gcc if the cc compiler does not exist on your machine). Then download a program I wrote 4rnds.c and build it. For unix

```  % gcc rijndael-alg-fst.o 4rnds.c
```
and your executable is a.out. If you examine the source to 4rnds.c, you'll see that I have the number of rounds (AES_ROUNDS) set to 4, and the key is set to all 0's. Run a.out and make sure you get the same output as what I got.

If you get something else, don't continue! You need to get this right before proceeding!

Ok, now here's your goal: I ran this same program, 4rnds.c, with a different key which I'm not telling you, but the same plaintexts (which happen to be very nice for the Square attack, as you can see from the source code). Under this secret key, I got 256 ciphertexts which you now will use to mount the attack.

The answer to this problem is the value of that secret key. This means you'll have to study the key schedule, but that's not too hard. Along with your answer, please provide the well-documented source code you used to crack this cipher.

As has been pointed out, you probably will get several candidate keys. You can narrow these down by trying each of them on the following plaintext/ciphertext pair (which uses the same secret key you are looking for). If there is still more than one candidate key which works, please hand in all that you found.

```pt: 0102030405060708090a0b0c0d0e0f00
ct: 71fae486fafc990d4a44a21a7fac6b75
```

4. Define blockcipher X as follows: X has a 128-bit blocksize and a 12800-bit key K. K is broken into 100 chunks of 128-bits each, K1 through K100. Round i of X goes like this: C0=P0 and on input Pi-1, compute Ci=S(Ci-1) xor Ki, where S() is the inversion of its input in GF(2128) (and 0 goes to 0 as usual). The output of the blockcipher is C100. Break this thing as we discussed in class.