Documente Academic
Documente Profesional
Documente Cultură
1
FIT5163 Use Chinese Remainder Theorem in RSA
(j) What is the difference between the AES decryption algorithm and the equivalent inverse
cipher?
For the AES decryption algorithm, the sequence of transformations for decryption differs
from that for encryption, although the form of the key schedules for encryption and
decryption is the same. The equivalent version has the same sequence of transformations
as the encryption algorithm (with transformations replaced by their inverses). To
achieve this equivalence, a change in key schedule is needed.
2. The AES key expansion algorithm takes as input a 4-word (16-byte) key and produces a
linear array of 44 words (156 bytes). AES S-boxes are shown in Figure 1. The diagram in
Figure 2 given below defines the expansion algorithm:
The function g consists of the following subfunctions:
(a) RotWord performs a one-byte circular left shift on a word. This means that an input
word [b0 , b1 , b2 , b3 ] is transformed into [b1 , b2 , b3 , b0 ].
(b) SubWord performs a byte substitution on each byte of its input word, using the S-box as
shown in Figure 1, AES S-Boxes.
(c) The result of steps 1 and 2 is XORed with a round constant, Rcon = {01 00 00 00}, in
this particular case.
0 1 2 3 4 5 6 7 8 9 A B C D E F
0 63 7C 77 7B F2 6B 6F C5 30 01 67 2B FE D7 AB 76
1 CA 82 C9 7D FA 59 47 F0 AD D4 A2 AF 9C A4 72 C0
2 B7 FD 93 26 36 3F F7 CC 34 A5 E5 F1 71 D8 31 15
3 04 C7 23 C3 18 96 05 9A 07 12 80 E2 EB 27 B2 75
4 09 83 2C 1A 1B 6E 5A A0 52 3B D6 B3 29 E3 2F 84
5 53 D1 00 ED 20 FC B1 5B 6A CB BE 39 4A 4C 58 CF
6 D0 EF AA FB 43 4D 33 85 45 F9 02 7F 50 3C 9F A8
7 51 A3 40 8F 92 9D 38 F5 BC B6 DA 21 10 FF F3 D2
8 CD 0C 13 EC 5F 97 44 17 C4 A7 7E 3D 64 5D 19 73
9 60 81 4F DC 22 2A 90 88 46 EE B8 14 DE 5E 0B DB
A E0 32 3A 0A 49 06 24 5C C2 D3 AC 62 91 95 E4 79
B E7 C8 37 6D 8D D5 4E A9 6C 56 F4 EA 65 7A AE 08
C BA 78 25 2E 1C A6 B4 C6 E8 DD 74 1F 4B BD 8B 8A
D 70 3E B5 66 48 03 F6 0E 61 35 57 B9 86 C1 1D 9E
E E1 F8 98 11 69 D9 8E 94 9B 1E 87 E9 CE 55 28 DF
F 8C A1 89 0D BF E6 42 68 41 99 2D 0F B0 54 BB 16
Figure 1: AES S-Boxes
2
FIT5163 Use Chinese Remainder Theorem in RSA
Show the first eight words of the key expansion for a 128-bit key of:
44D82220E41FA6697368C0D0ACB2EB71. Show all your calculations.
Key:44D82220E41FA6697368C0D0ACB2EB71
w0 =44D82220
w1 =E41FA669
w2 =7368C0D0
w3 =ACB2EB71
Function g:
RotWord
b0 b1 b2 b3 b1 b2 b3 b0
ACB2EB71 B2EB71AC
RCon0
37E9A391
01000000
36E9A391 : output of function g round 0
3
FIT5163 Use Chinese Remainder Theorem in RSA
44 E4 73 AC
D8 1F 68 B2
22 A6 C0 EB
20 69 D0 71
Function g
B2 EB 71 AC
S S S S SubWord
37 E9 A3 91
RCon
RC[1]
XOR 01 00 00 00
36 E9 A3 91
3. Given the plaintext: [000102030405060708090A0B0C0D0E0F] and the 128 bit key used as:
[01010101010101010101010101010101]:
4
FIT5163 Use Chinese Remainder Theorem in RSA
(b) Show the value of the State after the intial AddRoundKey.
Initial state of the matrix after the AddRoundKey is StateKey
01 05 09 0D
00 04 08 0C
03 07 0B 0F
02 06 0A 0E
(c) Show the value of the State after SubBytes.
The contents of the State byte after SubBytes (refer to Figure 1, AES S-Box) is:
7C 6B 01 D7
63 F2 30 FE
7B C5 2B 76
77 6F 67 AB
(d) Show the value of the State after ShiftRows.
The contents of the State matrix after ShiftRows:
7C 6B 01 D7
F2 30 FE 63
2B 76 7B C5
AB 77 6F 67
(e)
Show the value of
theState after MixColumns
as a multiplicationof 2 matrices.
02 03 01 01 7C 6B 01 D7 75 87 0F B2
01 02 03 01 F 2 30 F E 63 55
E6 04 22
01 01 =
02 03 2B 76 7B C5 3E 2E B8 8C
03 01 01 02 AB 77 6F 67 10 15 58 0A
4. Compare AES to DES. For each of the following elements of DES, indicate the comparable
element in AES or explain why it is not needed in AES.
5
FIT5163 Use Chinese Remainder Theorem in RSA
the double encryption, and the ciphertext, C, is decrypted to produce an intermediate value
in the double encryption.
Table lookup techniques can be used in such a way to dramatically improve on a brute-force
try of all pairs of keys.
10. Using the provided RC4 key schedule algorithm shown in Figure 3 and the following 128-bit
key K=F2021BB6C7E907D06DAFE4687E579FCE, represented in hex, calculate the value of j and
S[i] for i=0 and i=1. (Note: consider the key as an array of bytes from left to right)
for i = 0 to 255 do
S[i] = i
T[i] = K[i mod keylen]
j = 0
for i = 0 to 255 do
j = (j + S[i] + T[i]) mod 256
swap (S[i], S[j])
6
FIT5163 Use Chinese Remainder Theorem in RSA
S[f2] currently contains the value f 2hex which is (f 2)hex = 15 16 + 2 = 242 so S[0]=242
and S[242]=0
for i=1 we have: j=(j + S[1] + T[1]) mod 256 = (f 2)hex + 1 + 2 = 242 + 3 = 245
(or f5 hex)
Then swap S[1] and S[f5] same argument S[f5]=S[245]=245
S[1]=f5 and S[245]=1 after swap
Input and output block length of 64 bits and the key size is 56 bits.
Given a key K, the key scheduling requires 2 microseconds (2 106 secs)
After the key scheduling produces all the sub-keys (if required), the encryption of a
single block of 64 bits block takes 0.5 microseconds.
The total time required (of course in microseconds) to encrypt 1MBytes (220 bytes) of
data.
First we need to find the number of 64-bit blocks in 1MByte of data as follows:
number of bits in 1MB = 220 bytes 8 bits/byte = 8, 388, 608 = 223 bits
Number of data blocks = 8,388,608
64bits
= 131, 072 blocks = 217 blocks of 64 bits each
It is now simply a matter of recognizing that the key K will be scheduled only once for
this encryption, and that we need to encrypt 131,072 blocks of data.
T ime = 2microseconds + 217 0.5microseconds = 65, 536 + 2 = 65, 538 microseconds
Given 2 values C and M such that C = EK (M ) under the unknown key value K, how
many years (at most) are required to crack the cipher on a single computer?
The second part seeks the amount of time, at most, it would take to crack the cipher
given ciphertext C and the related plaintext M. In order to do this, it is necessary to
search the entire key space. Because a key is 56 bits long
Total number of keys = 256 = 72, 057, 594, 037, 927, 936
Now we know how many keys we need to try before we find the right one, we must
recognize that we only need to test a single block of data. Then each trial requires key
scheduling plus the time to encrypt/decrypt (depending on which one you choose).
Thus, the equation becomes:
(256 (2 microseconds + 0.5 microseconds)) 106 secs 1.8 1011 secs
Translate this value into years 2, 084, 999 days 5712years
12. Consider a password system which uses all the 102 printable characters of the English (or
American) key board and the password is of 8 characters long.
How many distinct passwords are possible under the above scheme? (give the numbers
approximately as a.b 10c ).
Number of passwords = 1028 1.17 1016
If the password scheme is limited to 26 lowercase English alphabets only (still password
length remains as 8 characters), how many passwords will there be?
Number of passwords = 268 2.09 1011
If the password length is limited to 6 characters (still the number of characters is 102),
how many passwords will there be?
Number of passwords = 1026 1.12 1012
13. Think of application(s) where private key encryption may not be suitable.
7
FIT5163 Use Chinese Remainder Theorem in RSA
In a distributed system, any given host or terminal may need to make exchanges with many
other hosts and terminals over time. Thus each device needs a number of keys to share with
each party it wishes to communicate. The scale of the problem depends on the number of
communicating pairs that must be supported. If there are N hosts, the number of keys
required is N (N
2
1)
. If encryption is done at the application layer, then key is needed for
every pair of users or processes that require communication. Thus, a network may have 100s
of hosts, but 1000s of users and processes. In such situations, private key encryption may not
be appropriate.
14. Assume that passwords have length six and all alphanumerical characters, upper and lower
case, can be used in their construction. How long will a brute force attack take on average if:
15. Passwords are entered by users and checked by computers. Thus, there has to be some
communications channel between user and computer. So far we have taken a very abstract
view of this channel and assumed that it exists and that it is adequately secure. When this
assumption is justified? When it is not justified?
There are very few times when the transmission can be considered secure. The line is secure
when it is serving a user logging into a machine locally, e.g., a keyboard cable running to a
desktop machine. The line is secure if it is on an internal LAN that only you have access to,
or that a very few (assumed trusted) individuals have access to. A line should never be
considered secure if it is somehow connected to the internet (even if is behind a firewall). In
short, a line should never be considered secure unless you can see it from origin to
destination.
17. Design a protocol by which two parties who are separated by a distance can authenticate each
other. Your protocol should be useable the first time these two parties to authenticate each
8
FIT5163 Use Chinese Remainder Theorem in RSA
other.
(a) Use some of the personal information to validate the user (such as the birth date, post
code, private phone number). This method does not guarantee 100% authentication,
although in most of the cases it will be OK.
(b) Use a trusted third party (such as Australia Post, a trusted web site etc). to exchange a
secret (which can be a key or a hash function which can be used to code the response.
(c) Create public/private key and use this to establish the secret.
18. There exists a time-memory trade-off in password guessing described in Hellman (1980). Let
N be the number of possible passwords. In a precomputation step using N trial encryptions, a
2
table with N 3 entries is constructed. If you later want to find a given encrypted password,
2
you need N 3 trial encryptions. How much memory space do you need when passwords of
length 6 are chosen from a 8-bit character set? How quickly will you find the password if a
trial encryption takes one microsecond?
A Cryptanalytic Time-Memory Trade-Off Martin E. Hellman
The technique requires M memory words for table lookup and T time cycles for brute force
trial (the two extremes: exhaustive search T = N, M = 1 and table lookup T = 1, M = N ).
The paper shows that with m as memory parameter and t as time parameter in the
time-memory trade off technique M = mt and T = t2 . By choosing M = T the overal cost
2
N = mt2 which results in M = T = N 3 . The table precomputation cost is ignored (it is done
once) and it requires a chosen plaintext attack (the attacker precomputes the table using a
plaintext P0 and gets the corresponding ciphertext from the target.
For all 6, 8-bit characters passwords, one gets N 286 number of passwords however for
dictionary-based passwords, one gets far fewer.
To use the memory trade-off technique for N = 248 , the required memory space is
2
N 3 = 232 = 4 Giga entries in lookup table (the size of each entry depends on the size of one
block of the chosen plaintext which for intance in DES is 64-bit and in AES 128-bit). In the
case of DES we need 4 4 = 16 GB which is perfectly reasonable - and about 232 trial
encryptions per password are required, which should take 4295 seconds. In contrast to doing
a brute force, that would take 8.9 years, this scheme is quite efficient.
With interested students, one can have a closer look at Hellmans scheme. A detailed analysis
of its complexity is given in Serge Vaudenay:
A Classical Introduction to Cryptography, Springer, 2006, on pages 54-58. Further
developments on time-memory trade-offs can be found in:
Alex Biryukov, Adi Shamir, David Wagner: Real Time Cryptanalysis of A5/1 on a PC.
Proceedings FSE 2000, Springer LNCS 1978, pages 1-18, 2001
19. A McDonalds look alike company, which is conceived by a Monash MBA has developed with
the help of 5 chefs a number of recipes which he thinks will take the market by storm.
However, he received recently an anonymous tip stating that that three of the five chefs are
considering job offers from their competitor (of course it has to be McDonalds, however, the
tip off does not say who they are). Assuming that only those 5 chefs can use the companys
computer, which has the recipes in files and unfortunately, the Monash MBA hasnt done any
subjects from Information Technology Faculty, he does not know how to use the computer (or
its related programs). However, he wants the chefs to store the recipes so that no subset of
three can steal the complete recipes. Describe a method of storing the information so that the
above objective can be met.
Monash MBA can have a single key K for encrypting the recipe files and divide the key using
the key escrow method into 5 key shares (such as using the Shamir(4,5) threshold scheme)
9
FIT5163 Use Chinese Remainder Theorem in RSA
and distribute these shares to each chef. The 5 private keys for each chef should be derived in
such a manner that K can be derived using at least (and not less) 4 out of the five chefs keys.
That way, the 3 chefs or less will not be able to get access to all the encrypted information.
20. In a Shamir (3,5)-threshold scheme, the dealer chooses prime number p = 17, the key k = 4,
a1 = 1 and a2 = 5. What are the individual keys for the participants? Show all the working.
Dealer uses a(x) = [k + (a1 x1 ) + (a2 x2 )] mod p = [4 + (1 x) + (5 x2 )] mod 17 to
calculate the following individual keys:
First Participant: a(1) = [4 + (1 1) + (5 12 )] mod 17 = 10
Second Participant: a(2) = [4 + (1 2) + (5 22 )] mod 17 = 9
Third Participant: a(3) = [4 + (1 3) + (5 32 )] mod 17 = 1
Fourth Participant: a(4) = [4 + (1 4) + (5 42 )] mod 17 = 3
Fifth Participant: a(5) = [4 + (1 5) + (5 52 )] mod 17 = 15
21. In a Shamir (2,3)-threshold scheme using prime number 17, the value of the key for
participants 1 and 2, are 11 and 15 respectively. What is the value of the key? Show all the
working.
Solve a(x) = k + a1 x equations for x = 1 and x = 2 where
a(participant number) = participant key
for x = 1 we have a(1) = k + a1 1 = 11 mod 17 (eq1)
for x = 2 we have a(2) = k + a1 2 = 15 mod 17 (eq2)
We can multiply (eq1) by 2 hence: 2k + 2a1 = 22 mod 17 = 5 (eq3)
Then we subtract (eq2) from (eq3) hence: (2k k) + (2a1 2a1 ) = (5 15) mod 17 so we
have k = 10 mod 17
To get the positive remainder we can add modulus to the negative remainder hence:
k = 10 + 17 mod 17 = 7
(Although there is no need to calculate a1 but using either of (eq1) or (eq2) we can get
a1 = 4)
10