University of Virginia, Department of Computer ScienceCS588: Cryptology - Principles and Applications, Fall 2001 |

Problem Set 2: Symmetric EncryptionOut: 12 September 2001

Due: 26 September 2001, before class

Collaboration PolicyYou may work with up to two other students on this problem set. You must write up your answers independently, and understand completely everything you turn in. Working together means discussing the questions and criticing possible solutions; it does not permit splitting up questions in a group.Problem set answers may be hand-written, but only if your hand writting is neat enough for us to read it. For full credit, answers must be clear and concise.You may consult any outside resources you wish including books, papers, web sites and people. If you use resources other than the class materials, indicate what you used along with your answer.

Occasionally, we will reuse problems from last year's version of this course. You should

notlook at answers from previous semesters.

## 1. Faro Shuffling

Magicians and card sharks can perform Faro shuffles (named after a card game in which these shuffles were particularly effective for dishonest dealers) that split the deck into halves, and then perfectly interleaves the two halves. There are two forms of Faro shuffles - the

outshuffle, in which the first card is taken from the top half of the deck; and theinshuffle, in which the first card is taken from the bottom half of the deck. If the deck has an odd number of cards (2n - 1), for the out shuffle the top half is split toncards and the bottom half is split withn - 1cards. For the in shuffle, the top half would usen - 1cards, and the bottom halfncards.For example, for a deck with 9 cards

0 1 2 3 4 5 6 7 8, a Faro out shuffle would split the deck into top stack0 1 2 3 4and bottom stack5 6 7 8and produce0 5 1 6 2 7 3 8 4. An in shuffle would split the deck as0 1 2 3and4 5 6 7 8and produce4 0 5 1 6 2 7 3 8. We could describe the 9-card Faro in shuffle as a permutation of the card positions:(0 1) (1 3) (2 5) (3 7) (4 0) (5 2) (6 4) (7 6) (8 8).

a.(10) What is the order of the Faro in shuffle on a 9-card deck? (That is, what is the fewest number of shuffles before each card returns to its original position.) (A full credit answer should show how you determined this doing something smarter than manually tracing through every shuffle.)We can also consider Faro shuffles as a function on positions, where

pis the card's position starting from 0 = top of deck andNis the number of cards:O(p) = 2p mod N out shuffle I(p) = 2p + 1 mod N in shuffleb.(5) Prove that the position of a card starting atpafter a sequence ofkout shuffles is 2^{k}pmodN.

c.(5) Prove that the position of a card starting atpafter a sequence ofkin shuffles is 2^{k}p+ Σ 2^{k - i}modNwhere Σ is the sum fromi = 1tok.

d.(5) Definew(S) = 0 for out shuffles andw(S) = 1 for in shuffles. Prove that the possition of cardpafter a sequence ofkshuffles,Swhere_{i}Sis either an out shuffle or an in shuffle, is given by:_{i}where Σ is the sum fromS..._{k}S_{2}S_{1}(p) = 2^{k}p+ Σ 2^{k-i}w(S_{i}) modNi = 1tok.

e.(5) Cathy Sharky, noted card shark, is playing poker using a standard deck with 1 joker (53 total cards). Cathy puts the Ace on top of the deck when she picks up the cards. There are 4 other players in the game, so she wants the Ace to end up as the 5th card from the top of the deck so she deals it to herself.Assuming Cathy is adept at performing perfect in and out shuffles (as would be any qualified card shark), how should she shuffle the deck? (Since we number the positions 0..52, this means we are looking for a sequence of permutations such that P(0) = 4 where P = some sequence of I and O shuffles.)

f.(up to 10 bonus points) Devise a general way Cathy can determine a sequence of in and out shuffles that will move the top card on the deck to an arbitrary position in the deck? (Hint: You may assume that before embarking on her career as a card shark, Cathy took some CS courses and is well adept at converting between decimal and binary.)

## 2. Enigma

The cryptanalysists at Beltchley Park (no relation to Bletchley Park), have recovered a mechanical cipher device used by their arch-enemies the Jansonites. The device appears to be a variant on the Enigma machine. It consists of two rotors and a reflector:________ ________ _______ | | | | | | Plaintext ------>| |--->| |--->| | | | | | | | | L | | M | | R | | | | | | | Ciphertext <-----| |<---| |<---| | |______| |______| |_____| Rotor 1 Rotor 2 ReflectorBoth rotors contain the alphabet in order. Hence, in position 1, the rotor maps

A -> A,B -> B...,Z -> Z. In position 2, the rotor mapsA -> B,B -> C, ...,Z -> A. Rotor 1 advances one position for every letter. Rotor 1 has a ring, that make Rotor 2 advance once. Hence, Rotor 2 will advance one position every 26 letters. The ring is always set so that Rotor 2 will advance after the 26th letter (and every 26 letters after that). In the reverse directions, the rotors have the inverse mapping (e.g., in position 2, rotor 1 in the reverse direction mapsB -> A.)The reflector connects

A <-> N,B <-> O,C <-> P, ...,M <-> Z.

a.(5) Charles Blabbage claims that decoding messages encoded with the Jansonite Enigma machine is as hard than breaking the Vigenere, which they are convinced is indecipherable (of course, we know better). Show that breaking the Jansonite Enigma cipher is no harder than breaking a Vigenere cipher with a key or a particular length.

b.(5) Although Blabbage showed the Jansonite Enigma cipher is no harder to break than the Vigenere cipher, this does not mean it is not easier to break. Describe a more effective attack.

c.(15 + possible bonus) The Jansonites believe a more confusing reflector is the key to improving their cipher. They replace the reflector with a random letter mapping, unknown to Beltchly Park.Note that unlike the real Enigma reflector, their reflector is not an involution. It can be any monoalphabetic substitution.It is known, however, that all messages on a particular day are encrypted with the same day key, and start with the message key repeated three times. The message key is two letters giving the initial rotor orientations for Rotor 1 and Rotor 2. Since the Jansonites are extremely lazy, it is known that the message key is always two identical letters. Hence, you can assume that the first six letters transmitted are all identical (e.g., "FFFFFF" or "UUUUUU"). On one day Beltchly Park intercepted the following ten encrypted messages:Each of there messages corresponds to six identical letters encrypted starting with the same rotor orientations.DJOXYM GVLCAS UYTQLH OAHFZF CQQEHB BIGAGL PLWLXE EWSWRO VSNJUJ FDVRVQDetermine everything you can about the reflector and day key. (You will receive some credit for determining anything useful about the reflector or day key. For full credit, you must determine a possible reflector and day key setting. For bonus points, you must determine everything that can be determined from the available information and argue convincingly why it is not possible to determine nore.)

## 3. Fiestel Ciphers

Ben Bitdiddle has invented a Feistel cipher and hired you to check if it is secure. His cipher opreates on 64-bit block and consists of 4 rounds. For each round:L_i = R_i-1 R_i = L_i-1 XOR F (R_i-1, K) F (m, k) = k XOR mThe same 32-bit key,Kis used for each round. The final ciphertext is:C = R_4 || L_4.

You are given the plaintext-ciphertext pair:

plaintext: 0001100100001101011101001100011101101011010100010011101001100010 ciphertext: 0111001001011100010011101010010101101011010100010011101001100010Ben is stubbornly convinced of his genius and the invincibility of his cipher, and is not disturbed by the odd similarily between the second half of the ciphertext and the second half of the plaintext.(15) Convince Ben the cipher is insecure by determining the key used for the plaintext-ciphertext pair shown above.

## 4. DES

a.(10) Quadruple DES

Lem E. Tweakit doesn't think Triple DES is secure enough for encoding his secret sauce reciple. So, he adds an additional stage to Triple DES:C = Ek_4 (Ek_3 (Ek_2 (Ek_1 (P)))))whereEk_nmeans DES encrypt using keyk_n.He uses 4 different 56-bit keys, and believes his cipher has and effective key size of 224 bits.

Is he right? (Estimate the actual key space a brute force attack would need to search.)

b.(10) DES Complement

Prove thatC = DES (P, K)impliesC^ = DES (P^, K^)whereM^is the bitwise complement ofMandDES (P, K)is the output of DES encryptingPwith keyK. (Hint: show(A XOR B)^ = A^ XOR B.)

c.(10) By how much does the property you proved in 4b reduce the amount of work required for a known plaintext brute force attack? What about for a ciphertext only brute force attack?

University of Virginia Department of Computer Science CS 588: Cryptology - Principles and Applications |
David Evansevans@cs.virginia.edu |