This preview shows pages 1–3. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: Computer Science and Engineering, UCSD Spring 11 CSE 207: Modern Cryptography Instructor: Mihir Bellare Problem Set 1 Solutions April 6, 2010 Problem Set 1 Solutions Problem 1. [30 points] Let K be a 56bit DES key, let L be a 64bit string, and let M be a 64bit plaintext. Let DESY ( K bardbl L,M ) = DES ( K,L ⊕ M ) DESW ( K bardbl L,M ) = L ⊕ DES ( K,M ) . This defines block ciphers DESY , DESW : { , 1 } 120 × { , 1 } 64 → { , 1 } 64 . Present the best possible keyrecovery attacks that you can on these block ciphers. Your attacks should use very few inputoutput examples, not more than three. State the running time of your attacks. Note that C = DESY ( K bardbl L,M ) iff DES − 1 ( K,C ) ⊕ M = L . This leads to the following keyrecovery attack: Adversary A DESY (( M 1 ,C 1 ) , ( M 2 ,C 2 ) , ( M 3 ,C 3 )) for each key T ∈ { , 1 } 56 do L 1 ← DES − 1 ( T,C 1 ) ⊕ M 1 ; L 2 ← DES − 1 ( T,C 2 ) ⊕ M 2 ; L 3 ← DES − 1 ( T,C 3 ) ⊕ M 3 if L 1 = L 2 = L 3 then return T bardbl L 1 The time taken by this attack is that of about 3 · 2 56 DES − 1 computations. Note that C = DESW ( K bardbl L,M ) iff C ⊕ DES ( K,M ) = L . This leads to the following keyrecovery attack: Adversary A DESW (( M 1 ,C 1 ) , ( M 2 ,C 2 ) , ( M 3 ,C 3 )) for each key T ∈ { , 1 } 56 do L 1 ← DES ( T,M 1 ) ⊕ C 1 ; L 2 ← DES ( T,M 2 ) ⊕ C 2 ; L 3 ← DES ( T,M 3 ) ⊕ C 3 if L 1 = L 2 = L 3 then return T bardbl L 1 The time taken by this attack is that of about 3 · 2 56 DES computations. As usual, we are only guaranteed the attacks find a key consistent with the inputoutput examples rather than finding the target key itself, but empirically we estimate that with three inputoutput examples the target key will be the only one consistent with the inputoutput examples and hence will be the one found by the attack. The same attacks using only two inputoutput examples will also typically find the target key, although perhaps with less frequency than the version using three inputoutput examples. But if you use only one inputoutput example, you will almost never find the target key. In that case, for every T one computes an L so that T bardbl L is consistent with the 1 Game EKS procedure Initialize T ∗ $ ← { , 1 } k ; C ∗ ← E [ T ∗ ,M ∗ ] $ ← { , 1 } n Range[ T ∗ ] ← { C ∗ } Return C ∗ procedure E ( T,M ) If not E [ T,M ] then E [ T,M ] $ ← { , 1 } n \ Range[ T ] Range[ T ] ← Range[ T ] ∪ { E [ T,M ] } Return E [ T,M ] procedure Finalize ( T ) Ret ( T = T ∗ ) Figure 1: Game EKS for Problem 3. single inputoutput example, so the attack terminates in one try, but with the wrong key most of the time. Problem 2. [50 points] The goal of a keysearch attack (such as exhaustive key search) is to find the target key, but, as discussed in the notes and in class, such an attack might find a key that is consistent with the inputoutput examples but is not the target key. We glossed over this, saying it “usually” does not happen. This problem gives a sense of how cryptographers arrive at this typeit “usually” does not happen....
View
Full
Document
This note was uploaded on 08/31/2011 for the course CSE 207 taught by Professor Daniele during the Winter '08 term at UCSD.
 Winter '08
 daniele
 Computer Science

Click to edit the document details