1. Prove that a finite group of even order always has some element

2. Consider the finite field GF(16) with irreducible polynomial
m(x) = x^{4} + x^{3} + 1. (You'll have to trust me that m(x)
is irreducible over F_{2} here.) We will, as usual, represent
group elements as either polynomials in *x*, or a hex number, or
binary strings, with the usual mapping between these representations.

**(a)** What polynomial corresponds to the hex number 'a'?

**(b)** What is 'a' + '7' in this field?

**(c)** What is 'a' * '7' in this field?

**(d)** What is the additive inverse of 'e' in this field?

**(e)** What is the multiplicative inverse of 'e' in this field? (Try
elements exhaustively using the **xtime()** method and show your work.)

3. Now consider the field GF(256) with m(x) as given in class (the same
one used in AES, and in the AES spec). Working here will often be too hard,
so let's write a program to do it for us.

**(a)** Write a python function that adds two members of this field
(use the "def" command and put this into a library so you can import it
later as needed).

**(b)** Write a python function for **xtime**.

**(c)** Write a python function that multiplies two field elements together.
(Use the xtime function as a subroutine.)

**(d)** Write a python function that returns the inverse of any non-zero
element of the field (use Euclid's extended algorithm here). This is by
far the hardest of the steps above.

Make sure you verify your code is correct by doing the obvious kinds of checks.
For example, if you get that *b* is the inverse of *a*, then
verify that *ab* = '01'.

3. Please implement the 4-round attack against Rijndael.

First, download the Rijndael source
to your computer and unzip it and build it (for Unix, just run `make`;
you might have to add the line `CC=gcc` if the cc compiler does not
exist on your machine).
Then download a program
I wrote 4rnds.c and build it. For unix

% gcc rijndael-alg-fst.o 4rnds.cand your executable is

If you get something else, don't continue! You need to get this right before proceeding!

Ok, now here's your goal: I ran this same program, `4rnds.c`, with a
**different** key which I'm not telling you, but the same plaintexts
(which happen to be very nice for the Square attack, as you can see from
the source code). Under this secret key, I got
256 ciphertexts which you now will use to mount the attack.

The answer to this problem is the value of that secret key. This means you'll have to study the key schedule, but that's not too hard. Along with your answer, please provide the well-documented source code you used to crack this cipher.

As has been pointed out, you probably will get **several** candidate
keys. You can narrow these down by trying each of them on the following
plaintext/ciphertext pair (which uses the same secret key you are looking
for). If there is still more than one candidate key which works, please
hand in all that you found.

pt: 0102030405060708090a0b0c0d0e0f00 ct: 71fae486fafc990d4a44a21a7fac6b75

4. Define blockcipher X as follows: X has a 128-bit blocksize and
a 12800-bit key K. K is broken into 100 chunks of 128-bits each,
K_{1} through K_{100}.
Round i of X goes like this: C_{0}=P_{0} and
on input P_{i-1},
compute C_{i}=S(C_{i-1}) xor K_{i}, where S() is the
inversion of its input in GF(2^{128}) (and 0 goes to 0 as usual).
The output of the blockcipher is C_{100}. Break this thing as
we discussed in class.