Problem Set #1

CSCI 4830//7000 - Cryptanalysis - Fall 2015

Problem Set #2

Due: Oct 6th, 2015 at 2pm

1. Fix some integer n > 0. Let the set A = [0 .. 2ⁿ - 1]. As we know, a function F : A → A is a permutation if and only if F is one-to-one and onto. A permutation P : A → A is a bit mixing permutation if and only if for all x in A, P(x) is a reordering of the bits of x. More precisely, if we write out x in binary as b(1) b(2) b(3) ... b(n), then P(x) = b(Q(1)) b(Q(2)) .... b(Q(n)) for some permutation Q : [1..n] → [1..n].

Prove the following: if P is a bit mixing permutation then for all x and y in A, P(x ⊕ y) = P(x) ⊕ P(y).

2. Give an example of a permutation that does not have the property of problem #1. That is, a permutation P where P(x ⊕ y) ≠ P(x) ⊕ P(y).

3. Explain why the result in Problem 1 is relevant for the 3-round differential attack on DES we did in class.

4. This problem has two parts; the first part is the easier.

Define c(x) as the one's complement of x. Prove that for all 56-bit keys K and all 64-bit inputs X, we have that DES(K, X) = c(DES(c(K),c(X))).
Describe an attack on DES that uses this property to cut down the number of keys we have to try when exhaustively searching the keyspace.

5. Look up the full description of DES and read it. You'll see that I mostly wasn't lying (the only thing I didn't mention in class was IP, its inverse, and the final-reverse at the end).
Feel free to use hwdes.c for this problem. We will use the differential attack given in class for 3 rounds of DES. In particular, use the following pairs (by adding this code to hwdes.c):

int pairs[][2][2][2] = {
    {
        { {0x748502cd, 0x38451097}, {0x2e48787d, 0xfb8509e6} },
        { {0x38747564, 0x38451097}, {0xfc19cb45, 0xb6d9f494} }
    },
    {
        { {0x48691102, 0x6acdff31}, {0xac777016, 0x3ddc98e1} },
        { {0x375bd31f, 0x6acdff31}, {0x7d708f6d, 0x4bc7ef16} }
    },
    {
        { {0x357418da, 0x013fec86}, {0x5a799643, 0x9823cf12} },
        { {0x12549847, 0x013fec86}, {0xae46e276, 0x16c26b04} }
    }
};

Now mount a differential attack using these three pairs to completely recover the key. Note that you will have to do an exhaustive key search after the initial differential attack is done. Note that IP and its inverse along with FINAL_REVERSE were all set to 0 for the above pt/ct pairs.

Turn in your code as usual along with an execution. Note that this problem is time-consuming and you should try and get an early start.

6. Let's construct a blockcipher E with a 64-bit block size. The round function f(A, J) takes a 32-bit input A and a 32-bit round-key J. We define f(A, J) = A² + J mod 2³². Now define E as 16 Feistel rounds using f with 16 indepedent and random round keys.

Break E in the sense of IND-CPA using a differential attack.

7. (EXTRA CREDIT) Do this problem only if you have finished all other problems, you are caught up in your other school, work and life obligations, and you really want to tackle something hard. Also, you will need to have some familiarity with linear algebra in order to do this problem. You can get an A in this class without doing this problem.

The idea of this exercise is to show that, with bad S-boxes, DES is easily broken. This supports the claim in class that DES's security relies on its S-box design. Here it is:

Change DES to WDES, a "Weakened DES", as follows: take the DES code given above and set it to 16 rounds, but leave off the IP and IPI and FINAL_REVERSE switches. Now, modify all 8 S-boxes to be the identity map in all four rows. (In other words, each row is 0, 1, 2, ..., 15.) We can now recover the WDES key with a single plaintext/ciphertext pair! Find the key for plaintext (9237bca1, f62011da) and ciphertext (a35498dc, 1b44aaa9). Turn in your code as usual along with an execution.