ss1 - Computer Science and Engineering, UCSD Spring 11 CSE...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Computer Science and Engineering, UCSD Spring 11 CSE 207: Modern Cryptography Instructor: Mihir Bellare Problem Set 1 Solutions April 6, 2010 Problem Set 1 Solutions Problem 1. [30 points] Let K be a 56-bit DES key, let L be a 64-bit string, and let M be a 64-bit plaintext. Let DESY ( K bardbl L,M ) = DES ( K,L ⊕ M ) DESW ( K bardbl L,M ) = L ⊕ DES ( K,M ) . This defines block ciphers DESY , DESW : { , 1 } 120 × { , 1 } 64 → { , 1 } 64 . Present the best possible key-recovery attacks that you can on these block ciphers. Your attacks should use very few input-output examples, not more than three. State the running time of your attacks. Note that C = DESY ( K bardbl L,M ) iff DES − 1 ( K,C ) ⊕ M = L . This leads to the following key-recovery attack: Adversary A DESY (( M 1 ,C 1 ) , ( M 2 ,C 2 ) , ( M 3 ,C 3 )) for each key T ∈ { , 1 } 56 do L 1 ← DES − 1 ( T,C 1 ) ⊕ M 1 ; L 2 ← DES − 1 ( T,C 2 ) ⊕ M 2 ; L 3 ← DES − 1 ( T,C 3 ) ⊕ M 3 if L 1 = L 2 = L 3 then return T bardbl L 1 The time taken by this attack is that of about 3 · 2 56 DES − 1 computations. Note that C = DESW ( K bardbl L,M ) iff C ⊕ DES ( K,M ) = L . This leads to the following key-recovery attack: Adversary A DESW (( M 1 ,C 1 ) , ( M 2 ,C 2 ) , ( M 3 ,C 3 )) for each key T ∈ { , 1 } 56 do L 1 ← DES ( T,M 1 ) ⊕ C 1 ; L 2 ← DES ( T,M 2 ) ⊕ C 2 ; L 3 ← DES ( T,M 3 ) ⊕ C 3 if L 1 = L 2 = L 3 then return T bardbl L 1 The time taken by this attack is that of about 3 · 2 56 DES computations. As usual, we are only guaranteed the attacks find a key consistent with the input-output examples rather than finding the target key itself, but empirically we estimate that with three input-output examples the target key will be the only one consistent with the input-output examples and hence will be the one found by the attack. The same attacks using only two input-output examples will also typically find the target key, although perhaps with less frequency than the version using three input-output examples. But if you use only one input-output example, you will almost never find the target key. In that case, for every T one computes an L so that T bardbl L is consistent with the 1 Game EKS procedure Initialize T ∗ $ ← { , 1 } k ; C ∗ ← E [ T ∗ ,M ∗ ] $ ← { , 1 } n Range[ T ∗ ] ← { C ∗ } Return C ∗ procedure E ( T,M ) If not E [ T,M ] then E [ T,M ] $ ← { , 1 } n \ Range[ T ] Range[ T ] ← Range[ T ] ∪ { E [ T,M ] } Return E [ T,M ] procedure Finalize ( T ) Ret ( T = T ∗ ) Figure 1: Game EKS for Problem 3. single input-output example, so the attack terminates in one try, but with the wrong key most of the time. Problem 2. [50 points] The goal of a key-search attack (such as exhaustive key search) is to find the target key, but, as discussed in the notes and in class, such an attack might find a key that is consistent with the input-output examples but is not the target key. We glossed over this, saying it “usually” does not happen. This problem gives a sense of how cryptographers arrive at this typeit “usually” does not happen....
View Full Document

This note was uploaded on 08/31/2011 for the course CSE 207 taught by Professor Daniele during the Winter '08 term at UCSD.

Page1 / 6

ss1 - Computer Science and Engineering, UCSD Spring 11 CSE...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online