E0 235.

Cryptography Assignment 1
Biswajit Nag, S.R. No. 10965
28th March 2016

Answer 1
The WEP protocol fails to provide data integrity as an adversary can introduce
any change to an encrypted packet without having any prior information about
the packet itself. For a message m, shared secret key k and initialization vector
v, the corresponding ciphertext is C(m) = RC4(v, k) m||IC(m), where IC
is the CRC-32 integrity checksum used in WEP. Since IC is linear, for any
arbitrary bit string , with || = |m|,

C(m ) =RC4(v, k) ((m )||IC(m ))

=RC4(v, k) ((m )||(IC(m) IC()))
=RC4(v, k) (m||IC(m)) (||IC())
=C(m) (||IC())

Hence the adversary can break the data integrity of a packet by just xor-ing it
with ||IC() for any of its choice.

Answer 2
In DES encryption of a message (forming a pair of two smaller n bit messages)
M = m0 ||m1 , the iteration (mi1 , mi ) 7ki (mi , mi+1 ), where mi+1 = mi1
f (mi , ki ), is performed 16 times starting from the pair (m0 , m1 ). Here f is the
DES round function and ki is the key scheduled for the ith round. Finally,
DESk (M ) = m17 . To prove the statement given in the question, we first claim
that
(mi1 , mi ) 7ki (mi , mi+1 ) (mi1 , mi ) 7ki (mi , mi+1 )
or equivalently,
mi+1 = mi1 f (mi , ki )
To proof this claim we first note that for any two bit strings a and b of equal
length, a b = a b and a b = a b. We also note that the outputs of the
key-scheduling algorithm and the fixed expansion function E : 232 7 248 used
within f are complemented by complementing the input. Hence (k)i = (ki ) and
E(mi ) ki = E(mi ) ki = E(mi ) ki . Since only E(mi ) ki is used as the

1
input for the rest of the round function (e.g. the fixed non-linear S-boxes and
a fixed permutation), f (mi , ki ) = f (mi , ki ). So, mi+1 = mi1 f (mi , ki ) =
mi1 f (mi ), which proves our claim. Combining all the iterations inductively
from the beginning we get that

(m0 , m1 ) 7k (mi , mi+1 ) (m0 , m1 ) 7k (mi , mi+1 )

More specifically, for i = 16, this gives our desired result.

Answer 3
If Eki is the DES encryption scheme with key ki , then the entire 3 DES
process is c = Ek1 (Ek2 (Ek3 (m))). We can try to arrive at a meet-in-the-
middle attack (MIM) for this scheme in two ways. For some given (c, m) pairs
(c1 , m1 ), , (ct , mt ) we can either first compute Eh1
1
(c1 ) h1 {0, 1}56 and
then try to find collisions like c = Eh1 (Eh2 (Eh3 (m))) by computing Eh2 (Eh3 (m1 ))
h2 , h3 {0, 1}56 . The expected number of such collisions we will find (assum-
563
ing E to be random) is 2264 = 2104 . If we verify these collisions for four more
(c, m) pairs then this number will be down to 2152 , which is quite unlikely an
event to happen in real situations. For such an algorithm,
Storage Complexity: 256 (56for subkey + 64for E 1 (E 1 (c1 ) = 262.9 )

Time Complexity: 256 + 2112 104

for the other subkeys + 4 2collision verification

For the other possible attack, in which E 1 is computed for two of the sub-
keys and stored (instead of one), The storage complexity will become 2112
(112for two subkeys + 64) = 263.5 . The time complexity will remain the same.
Clearly, the first one is a better MIM attack.

Answer 4
In AES-CBC mode, mi = DecAES,k (ci ) ci1 . Hence, all the message blocks
from c4 onwards will be correctly decrypted. For the same reason, c1 will also
be decrypted correctly. Also, since only the first bit of c2 is flipped, Bob will
arrive at (almost) the correct m3 with the first bit flipped. But upon decrypting
c2 , since we know that AES is built on principles of diffusion and confusion and
its inherent SPN will always express avalanche effect, we do not expect that
any apparent relation of the result with m2 will be revealed.

Answer 5
We prove that if the hash function H is not collision resistant then the com-
pression function f is also not collision resistant.

2
Figure 1: Schematic diagram of Merkels meta-construction of a hash function

1
If H is not collision resistant, then there exists at least two distinct mes-
sages M1 and M2 such that the corresponding hash-digests are the same.If the
lengths of the two messages are different then we immediately have a collision
in f at its last iteration. Assuming that they are the same, let i be the smallest
iteration index for which the iterated compression function value is the same.
Clearly, 1 i t + 1. If i > 1, since Hi1 is different for the two messages,
this gives a collision in f . If i = 0, then since M1 and M2 are different, they
differ in at least one of the blocks, say at the index j. Since j 1 = i, there is
a collision of f at the iteration j. This completes our proof.
If the length block is absent, then two different messages, after being padded
by 0 bits at the end (to arrive at the appropriate block lengths) can result in
the same iterand. For example, if r is the block cipher length and if r does not
divide |M | then the hash digest of M ||0 will be the same as that of M , but this
collision in H is not due to an inherent collision in f .

Answer 6
Since every ball, at every step of distribution, can be assigned to n different bins,
there will be nq many ways of distributing these q balls (while
considering the
order in which the balls were thrown). Out of these, in only nq q! many ways the
balls will be distributed in distinct bins (Here nq comes due to choosing q bins

to assign the balls distinctly, and q! is multiplied with it as every arrangement

can be arrived at in q! many ways. So,
n!
p(n, q) = 1
(n q)! nq
 
q1 i
= 1 i=0 1
n
q1 n i
1 i=0 e
q(q1)
= 1 e 2n

1 Source of diagram: Prof. Sanjit Chatterjees lecture slides

3

This lower bound is valid for all possible values of n and q. For q 2n,
q(q1) q2
2n 2n 1. To further simplify the lower bound, we note that for 0
c < 1, cx 1 ex within some positive neighborhood of zero. For this
neighborhood to be [0, 1], we have c = 1 e1 . Hence, for q 2n,

q(q 1)
p(n, q) 1 e1
2n

Answer 7
Let the CBC-MAC use an underlying block cipher with block size n, keysize l
and since this is a fixed length MAC, we assume that the MAC takes inputs
of size exactly tn. We assume that the MAC is ideal, i.e. the block cipher
is a random permutation for every key k. Since we are attemting to break the
MAC security, we assume that a MAC-oracle service is available for our use. We
attempt to find tag collisions for messages of the form m1 ||m2 ||M , where M is a
fixed arbitrary bit string of length (t2)n and the other two blocks are of length
n each. Our algorithm generates m1 and m2 randomly, gets the tag from the
oracle, and stores m1 , m2 and the tag. Before storing these values, it compares
this new tag with all the previously stored tags and checks for collisions. In
such an algorithm, a collision (m11 ||m12 ||M, m21 ||m22 ||M ) immediately implies
that Ek (m12 Ek (m11 )) = Ek (m22 Ek (m21 )). Hence for any other (t 2)n
bit long string M 0 knowing the tag of m11 ||m12 ||M 0 implies knowing the tag for
m21 ||m22 ||M 0 (since they are identical) and vice-versa. This breaks the MAC
security.
Since the MAC being targeted is ideal,p using the lower bound in question
7, if we randomly get the tags for q = 2n+1 ln(2) distinct messages, then the
probability of getting a tag collision is exactly p(2n , q). But
q2
p(2n , q) 1 e 2n+1
2n+1
= 1 e 2n+1 ln(2)
1
=
2
This is already a non-negligible probability and it can be boosted to values
arbitrarily close to 1 by chosing higher values of q.
p
Space Complexity: 2n+1 ln(2) 3nfor the message blocks and the tag
p
Time Complexity: 2n+1 ln(2) 2nfor generation of random bits