University of Virginia, Department of Computer Science
CS551: Security and Privacy on the Internet, Fall 2000

Problem Set 2: Symmetric Encryption Selected Answers

Average: 86/100

1. Perfect Ciphers

Dogbert invents a cipher based on tossing a coin with probabilities: p(heads) = 1/3, p(tails) = 1/3, p(edge) = 1/3. He creates a one-time pad from the results of an infinite number of coin flips, and gives Ratbert a copy of the pad.

He encodes a binary message using the following scheme:

      message pad     output             message pad     output
      ======================             ======================
      0       heads   $                  1       heads   &
      0       tails   &                  1       tails   %
      0       edge    %                  1       edge    $
a. (10) Is Dogbert's cipher perfect? (Prove or disprove)

Answer: See Kristen Olvera's answer.

b. (10) Ratbert doesn't like writing $ signs, so he modifies Dogbert's cipher to use:

      message pad     output             message pad     output
      ======================             ======================
      0       heads   0                  1       heads   1
      0       tails   1                  1       tails   0
      0       edge    1                  1       edge    0
Is Ratbert's cipher perfect? (Prove or disprove)

Answer: See Kristen Olvera's answer.

2. Entropy and Unicity

The Jefferson Wheel (from Problem Set 1) uses 36 wheels each having 26 letters. A legitimate receiver knows the contents and order of the wheels, but must be able to identify the correct plaintext row after aligning the wheels to the ciphertext.

a. (10) In order for the sender to have high confidence the receive will identify the correct row, what is the minimum redundancy of the language of the message?

Answer: (Victor Ludwig)

b. (10) Challenge #1 challenges you to decipher a Jefferson wheel ciphertext 5753 characters long, without knowing the wheels. If you assume the secret message has typical redundancy of English, D = .72, is it (theoretically) possible to obtain the plaintext with good confidence?

Answer: (Victor Ludwig)

3. Fiestel Ciphers

Ben Bitdiddle has invented a Feistel cipher and hired you to check if it is secure. His cipher opreates on 64-bit block and consists of 4 rounds. For each round:
    L_i = R_i-1
    R_i = L_i-1 XOR F (R_i-1, K)
    F (m, k) = k XOR m
The same 32-bit key, K is used for each round. The final ciphertext is: C = R_4 || L_4.

You are given the plaintext-ciphertext pair:

plaintext:  0001100100001101011101001100011101101011010100010011101001100010
ciphertext: 0111001001011100010011101010010101101011010100010011101001100010
Ben is stubbornly convinced of his genius and the invincibility of his cipher, and is not disturbed by the odd similarily between the second half of the ciphertext and the second half of the plaintext.

(20) Convince Ben the cipher is insecure by determining the key.

Answer: (Victor Ludwig)

4. DES

a. (10) Quadruple DES
Lem E. Tweakit doesn't think Triple DES is secure enough for encoding his secret sauce reciple. So, he adds an additional stage to Triple DES: C = Ek_4 (Ek_3 (Ek_2 (Ek_1 (P))))) where Ek_n means DES encrypt using key k_n.

He uses 4 different 56-bit keys, and believes his cipher has and effective key size of 224 bits.

Is he right? (Estimate the actual key space a brute force attack would need to search.)

Answer: See James Tsai's answer.

b. (20) DES Complement (based on Stallings, question 3.10)
Prove that C = DES (P, K) implies C^ = DES (P^, K^) where M^ is the bitwise complement of M and DES (P, K) is the output of DES encrypting P with key K. (Hint: show (A XOR B)^ = A^ XOR B.)

Answer: The key thing to notice is that all DES components except the S-boxes are linear, and the inputs to the S-boxes are exactly the same whether you start with P and K or you start with P^ and K^. For details, see James Tsai's answer.

c. (10) By how much does the property you proved in 4b reduce the amount of work required for a known plaintext brute force attack?


If you are doing a ciphertext only attack, it is clearly useful. You can try all possible plaintext blocks with half the possible keys. If results C, you may have the correct key; if C^ results, K^ may be the correct key (and P^ the corresponding guessed plaintext). Ciphertext-only attacks on DES, however, are not very realistic. Even with the complement property, you need to try 264 + 55 plaintext-key pairs.

If you are doing a chosen-plaintext attack, you can obtain two palintext-ciphertext pairs (P1, C1) and (P2, C2) where P1 = P2^. Try encrypting P1 using half of the key space (all keys whose least significant bit is zero). If you get C1 using key K, K is likely to be the real key. If you get C2^, then K^ is likely to be ther real key. Otherwise, neither K nor K^ can be the real key. You only need to run DES once to eliminte 2 keys, and bitwise complement is inexpensive, so this approximately halves the amount of work required.

For a known plaintext attack, the complement property is unlikely to help much. In fact, with enough plaintext pairs it does aid differential cryptanalysis. (See Differential Cryptanalysis of DES-like Cryptosystems, Biham and Shamir, 1991 for more details.)

We gave full credit to both "yes" and "no" answers with sufficient explanation. This was a more confusing question than I had intended. I meant to asks about the chosen-plaintext attack, but made a mistake in the question. Sorry!

CS 655 University of Virginia
Department of Computer Science
CS 551: Security and Privacy on the Internet
David Evans