University of Virginia, Department of Computer Science
CS588: Cryptology - Principles and Applications, Fall 2001

Problem Set 2: Symmetric Encryption Out: 12 September 2001
Due: 26 September 2001, before class

Collaboration Policy

You may work with up to two other students on this problem set. You must write up your answers independently, and understand completely everything you turn in. Working together means discussing the questions and criticing possible solutions; it does not permit splitting up questions in a group.

You may consult any outside resources you wish including books, papers, web sites and people. If you use resources other than the class materials, indicate what you used along with your answer.

Occasionally, we will reuse problems from last year's version of this course. You should not look at answers from previous semesters.

Problem set answers may be hand-written, but only if your hand writting is neat enough for us to read it. For full credit, answers must be clear and concise.

1. Faro Shuffling

Magicians and card sharks can perform Faro shuffles (named after a card game in which these shuffles were particularly effective for dishonest dealers) that split the deck into halves, and then perfectly interleaves the two halves. There are two forms of Faro shuffles - the out shuffle, in which the first card is taken from the top half of the deck; and the in shuffle, in which the first card is taken from the bottom half of the deck. If the deck has an odd number of cards (2n - 1), for the out shuffle the top half is split to n cards and the bottom half is split with n - 1 cards. For the in shuffle, the top half would use n - 1 cards, and the bottom half n cards.

For example, for a deck with 9 cards 0 1 2 3 4 5 6 7 8, a Faro out shuffle would split the deck into top stack 0 1 2 3 4 and bottom stack 5 6 7 8 and produce 0 5 1 6 2 7 3 8 4. An in shuffle would split the deck as 0 1 2 3 and 4 5 6 7 8 and produce 4 0 5 1 6 2 7 3 8. We could describe the 9-card Faro in shuffle as a permutation of the card positions: (0 1) (1 3) (2 5) (3 7) (4 0) (5 2) (6 4) (7 6) (8 8).

a. (10) What is the order of the Faro in shuffle on a 9-card deck? (That is, what is the fewest number of shuffles before each card returns to its original position.) (A full credit answer should show how you determined this doing something smarter than manually tracing through every shuffle.)

We can also consider Faro shuffles as a function on positions, where p is the card's position starting from 0 = top of deck and N is the number of cards:

    O(p) = 2p mod N	  out shuffle
    I(p) = 2p + 1 mod N	  in shuffle
b. (5) Prove that the position of a card starting at p after a sequence of k out shuffles is 2k p mod N.

c. (5) Prove that the position of a card starting at p after a sequence of k in shuffles is 2kp + Σ 2k - i mod N where Σ is the sum from i = 1 to k.

d. (5) Define w(S) = 0 for out shuffles and w(S) = 1 for in shuffles. Prove that the possition of card p after a sequence of k shuffles, Si where Si is either an out shuffle or an in shuffle, is given by:

Sk ... S2S1 (p) = 2kp + Σ 2k-i w(Si) mod N
where Σ is the sum from i = 1 to k.

e. (5) Cathy Sharky, noted card shark, is playing poker using a standard deck with 1 joker (53 total cards). Cathy puts the Ace on top of the deck when she picks up the cards. There are 4 other players in the game, so she wants the Ace to end up as the 5th card from the top of the deck so she deals it to herself.

Assuming Cathy is adept at performing perfect in and out shuffles (as would be any qualified card shark), how should she shuffle the deck? (Since we number the positions 0..52, this means we are looking for a sequence of permutations such that P(0) = 4 where P = some sequence of I and O shuffles.)

f. (up to 10 bonus points) Devise a general way Cathy can determine a sequence of in and out shuffles that will move the top card on the deck to an arbitrary position in the deck? (Hint: You may assume that before embarking on her career as a card shark, Cathy took some CS courses and is well adept at converting between decimal and binary.)

2. Enigma

The cryptanalysists at Beltchley Park (no relation to Bletchley Park), have recovered a mechanical cipher device used by their arch-enemies the Jansonites. The device appears to be a variant on the Enigma machine. It consists of two rotors and a reflector:

                    ________    ________    _______
                    |      |    |      |    |     |
   Plaintext ------>|      |--->|      |--->|     |
                    |      |    |      |    |     |
                    |  L   |    |  M   |    |  R  |
                    |      |    |      |    |     |
   Ciphertext <-----|      |<---|      |<---|     |
                    |______|    |______|    |_____|

		     Rotor 1     Rotor 2    Reflector

Both rotors contain the alphabet in order. Hence, in position 1, the rotor maps A -> A, B -> B ..., Z -> Z. In position 2, the rotor maps A -> B, B -> C, ..., Z -> A. Rotor 1 advances one position for every letter. Rotor 1 has a ring, that make Rotor 2 advance once. Hence, Rotor 2 will advance one position every 26 letters. The ring is always set so that Rotor 2 will advance after the 26th letter (and every 26 letters after that). In the reverse directions, the rotors have the inverse mapping (e.g., in position 2, rotor 1 in the reverse direction maps B -> A.)

The reflector connects A <-> N, B <-> O, C <-> P, ..., M <-> Z.

a. (5) Charles Blabbage claims that decoding messages encoded with the Jansonite Enigma machine is as hard than breaking the Vigenere, which they are convinced is indecipherable (of course, we know better). Show that breaking the Jansonite Enigma cipher is no harder than breaking a Vigenere cipher with a key or a particular length.

b. (5) Although Blabbage showed the Jansonite Enigma cipher is no harder to break than the Vigenere cipher, this does not mean it is not easier to break. Describe a more effective attack.

c. (15 + possible bonus) The Jansonites believe a more confusing reflector is the key to improving their cipher. They replace the reflector with a random letter mapping, unknown to Beltchly Park. Note that unlike the real Enigma reflector, their reflector is not an involution. It can be any monoalphabetic substitution. It is known, however, that all messages on a particular day are encrypted with the same day key, and start with the message key repeated three times. The message key is two letters giving the initial rotor orientations for Rotor 1 and Rotor 2. Since the Jansonites are extremely lazy, it is known that the message key is always two identical letters. Hence, you can assume that the first six letters transmitted are all identical (e.g., "FFFFFF" or "UUUUUU"). On one day Beltchly Park intercepted the following ten encrypted messages:

DJOXYM
GVLCAS
UYTQLH
OAHFZF
CQQEHB
BIGAGL
PLWLXE
EWSWRO
VSNJUJ
FDVRVQ
Each of there messages corresponds to six identical letters encrypted starting with the same rotor orientations.

Determine everything you can about the reflector and day key. (You will receive some credit for determining anything useful about the reflector or day key. For full credit, you must determine a possible reflector and day key setting. For bonus points, you must determine everything that can be determined from the available information and argue convincingly why it is not possible to determine nore.)

3. Fiestel Ciphers

Ben Bitdiddle has invented a Feistel cipher and hired you to check if it is secure. His cipher opreates on 64-bit block and consists of 4 rounds. For each round:
    L_i = R_i-1
    R_i = L_i-1 XOR F (R_i-1, K)
    F (m, k) = k XOR m
The same 32-bit key, K is used for each round. The final ciphertext is: C = R_4 || L_4.

You are given the plaintext-ciphertext pair:

plaintext:  0001100100001101011101001100011101101011010100010011101001100010
ciphertext: 0111001001011100010011101010010101101011010100010011101001100010
Ben is stubbornly convinced of his genius and the invincibility of his cipher, and is not disturbed by the odd similarily between the second half of the ciphertext and the second half of the plaintext.

(15) Convince Ben the cipher is insecure by determining the key used for the plaintext-ciphertext pair shown above.

4. DES

a. (10) Quadruple DES
Lem E. Tweakit doesn't think Triple DES is secure enough for encoding his secret sauce reciple. So, he adds an additional stage to Triple DES: C = Ek_4 (Ek_3 (Ek_2 (Ek_1 (P))))) where Ek_n means DES encrypt using key k_n.

He uses 4 different 56-bit keys, and believes his cipher has and effective key size of 224 bits.

Is he right? (Estimate the actual key space a brute force attack would need to search.)

b. (10) DES Complement
Prove that C = DES (P, K) implies C^ = DES (P^, K^) where M^ is the bitwise complement of M and DES (P, K) is the output of DES encrypting P with key K. (Hint: show (A XOR B)^ = A^ XOR B.)

c. (10) By how much does the property you proved in 4b reduce the amount of work required for a known plaintext brute force attack? What about for a ciphertext only brute force attack?


CS 655 University of Virginia
Department of Computer Science
CS 588: Cryptology - Principles and Applications
David Evans
evans@cs.virginia.edu