assignment #2 solutions - courses.cs.washington.edu
TRANSCRIPT
Problem 1
Block Cipher
Block Cipher
Block Cipher
Block Cipher
IV
January 27, 2011 Practical Aspects of Modern Cryptography 2
n bits k zero bits
removed
Inverse Cipher
Inverse Cipher
Inverse Cipher
Inverse Cipher
IV
January 27, 2011 Practical Aspects of Modern Cryptography 3
Problem 1
Missing bits
Problem 1 Let b = π
π be the number of blocks.
Plaintext π0, π1, β¦ , ππ, ciphertext πΆ0, πΆ1, β¦ , πΆπ.
We care about πΆπβ1, πΆπ , ππβ1 and ππ .
We know π, the number of bits removed from the penultimate block, since π = π β (π mod π).
Recall that for CBC decryption, we have plaintext block
ππ = Decrypt(πΎ, πΆπ) β¨ πΆπβπ
1/27/2011 Practical Aspects of Modern Cryptography
Problem 1 ππ = Decrypt(πΎ, πΆπ) β¨ πΆπβπ
1. Compute ππ = Decrypt(πΎ, πΆπ) (intermediate value of final block)
2. We also know ππ = ππ πππ πΆπβ1 if we have all the bits in πΆπ .
3. Finally, we know the last π bits of ππ are 0 (pad).
4. So for each of the padding bits ππ,πβπ+1, β¦ , ππ,π
we have ππ,π = ππ,π XOR πΆπβ1,π for π = π β π + 1, β¦ , π
5. Since ππ,π = 0, then ππ,π = πΆπβ1,π
1/27/2011 Practical Aspects of Modern Cryptography
Problem 1: Ciphertext Stealing
Inverse Cipher
Inverse Cipher
Inverse Cipher
Inverse Cipher
Plaintext
Ciphertext
IV
110101
110101
00β¦0
Problem 2 Decrypt a π-block segment in the middle of a long CBC-
encrypted ciphertext.
What is the minimum number of blocks of ciphertext that need to be decrypted?
Which blocks do you need to decrypt and how will you decrypt them?
1/27/2011 Practical Aspects of Modern Cryptography
Problem 2
In CBC decryption, we have plaintext block
ππ = Decrypt(πΎ, πΆπ) β¨ πΆπβπ
NOTE: Boundary case "πΆβ1" = IV.
Each plaintext block we want requires one decryption of the corresponding plaintext plus one XOR.
So the minimum number of ciphertext blocks to be decrypted is π.
If you want plaintext blocks ππ , ππ+1, β¦ , ππ+πβ1, then you need ciphertext blocks πΆπβ1, πΆπ , πΆπ+1, β¦ , πΆπ+πβ1.
If π = 0, instead of πΆπβ1 you need the IV.
1/27/2011 Practical Aspects of Modern Cryptography
Problem 3 π» is a Merkle-DamgΓ₯rd hash function w/ compression
function πΉ. Black box takes inputs πΌπ and π¦ and outputs an π₯ such that πΉ πΌπ, π₯ = π¦.
Show how by using the black box at most 2π times you can find a set of 2π messages that all have the same hash value when input into the full hash function π».
1/27/2011 Practical Aspects of Modern Cryptography
Problem 3 β Solution 1
Basic idea: find pairs of messages π₯π , π₯πβ² satisfying
πΉ πΌππ , π₯π = πΉ πΌππ , π₯πβ² = π¦π, π = 1, . . , π
π¦π = πΌππ+1 πΌπ1 = πΌπ
Start at the end. Choose a random target output value π¦π and a random input value π¦πβ1 = πΌππ . Call the black box twice with πΌππ , π¦π to generate π₯π , π₯π
β² .
Now move back a block. We have π¦πβ1, choose random πΌππβ1 = π¦πβ2. Run the box twice, get π₯πβ1, π₯πβ1
β² .
1/27/2011 Practical Aspects of Modern Cryptography
Problem 3 β Solution 1 We now have 4 two-block messages that hash to the
same value when F is the compression function: π₯πβ1π₯π , π₯πβ1π₯π
β² , π₯πβ1β² π₯π , π₯πβ1
β² π₯πβ²
Repeat this procedure π times and youβll have made 2π calls to the black box to generate π pairs π₯π , π₯π
β².
To generate 2π messages that hash to the same value, make π-block messages where the πth block is either π₯π or π₯π
β². Two choices per block, π blocks == 2π .
1/27/2011 Practical Aspects of Modern Cryptography
Problem 3 β Solution 2 The βfixed pointβ solution
Choose a fixed value for πΌπ. Now call the black box to find an π₯ such that πΉ πΌπ, π₯ = πΌπ.
Concatenate π₯ as many times as you want, the hash will still be πΌπ. So to get 2π messages:
π₯, π₯π₯, π₯π₯π₯, π₯π₯π₯π₯, β¦ , π₯π₯π₯ β¦ π₯π₯π₯ (2π total times)
1/27/2011 Practical Aspects of Modern Cryptography
Problem 4 πΊ(π₯) = π»(π₯) β₯ π»β²(π₯), π»(π₯) and π»β²(π₯) are hash
functions with π-bit outputs, so πΊ(π₯) has 2π-bit outputs.
Normally, with a birthday attack we would expect to have to generate 22π/2 = 2π messages to find a collision.
However, π»(π₯) is badly broken (as in Prob. 3) so assume
we can generate 2π/2 messages that all have the same hash value in π» π₯ .
1/27/2011 Practical Aspects of Modern Cryptography
Problem 4 Now compute π»β²(π₯) for each of the 2π/2 that have the
same hash value in π»(π₯).
By the birthday attack we expect to find a collision from those 2π/2 messages.
1/27/2011 Practical Aspects of Modern Cryptography
Problem 4 Was it a good idea to construct πΊ(π₯) = π»(π₯) β₯ π»β²(π₯)?
1/27/2011 Practical Aspects of Modern Cryptography
Problem 4 Was it a good idea to construct πΊ(π₯) = π»(π₯) β₯ π»β²(π₯)?
Well, it dependsβ¦
1/27/2011 Practical Aspects of Modern Cryptography
Problem 4 Was it a good idea to construct πΊ(π₯) = π»(π₯) β₯ π»β²(π₯)?
Well, it dependsβ¦
YES: At the cost of computing two hashes vs. one, you get resistance if one of π», π»β² breaks.
1/27/2011 Practical Aspects of Modern Cryptography
Problem 4 Was it a good idea to construct πΊ(π₯) = π»(π₯) β₯ π»β²(π₯)?
Well, it dependsβ¦
YES: At the cost of computing two hashes vs. one, you get resistance if one of π», π»β² breaks, butβ¦
NO: However, πΊ(π₯) doesnβt have the security margin youβd expect of a 2π-bit hash function. Itβs only as strong as the better of its two components
1/27/2011 Practical Aspects of Modern Cryptography
Problem 5
Alice Bob: π = βplease pay the bearer $1β, π»(π, π).
π is an exact multiple of π»βπ block size (so you donβt need to do any padding).
What can Bob do?
1/27/2011 Practical Aspects of Modern Cryptography
Problem 5
Note that π is only an input to the first application of π»β²π compression function (e.g. itβs the πΌπ to the hash of the first block of π)
Bob can append data to π, create πβ² = π β₯ β,000,000β, and compute π» π, πβ² from π»(π, π).
1/27/2011 Practical Aspects of Modern Cryptography