practical cryptography exercise 1
TRANSCRIPT
-
7/27/2019 Practical Cryptography exercise 1
1/6
Exercise 1
Explain why this form of internal feedback is much worse in practice in a non-ideal world, whenthe ciphertext may be corrupted by error.
Solution
In this form of internal feedback, the decryption will be such:
1i i i p Decrypt c p
And since each decryption depends on the previous decryption ( 1i p ), it will cause all the next
decryptions to fail. (And every single error will force all future blocks to be resent)
-
7/27/2019 Practical Cryptography exercise 1
2/6
However, in the other internal feedback structu re, wed get the decryption method:
1i i i p c Decrypt c
And therefore, each corrupted ciphertext block will prevent the decryption of at most two
blocks. (The corresponding plaintext block i p , and the one after it, 1i p )
-
7/27/2019 Practical Cryptography exercise 1
3/6
Exercise 2
When using multiple encryption, which internal feedback structure will guarantee no apparent
output structure, and no complete loss of data when 1 ciphertext block is corrupted?
Solution
An identical feedback structure to the one we saw in question 1:
-
7/27/2019 Practical Cryptography exercise 1
4/6
Observing the multiple encryption as a black box encryption module, will show that this indeeddoes not cause a complete loss of decryption when a single ciphertext block is corrupted. (As wesaw in question 1)
In addition, it does not generate any (apparent) output structure since each ciphertext block is
XORed with the new plaintext.
-
7/27/2019 Practical Cryptography exercise 1
5/6
Exercise 3
Calculate the probability, in the slidex attack, of:
1 1 2 2 1 2k x x c k w w e
(Where e is the common value 1 1 2 2w F x c w F x c )
Solution
For every 1 2 x x , and 1 1 2 1,c k x x k , the four terms:
1 1 2 1 1 2, , , x k x k x c x c Are different in pairs.
Therefore, choosing the permutation F uniformly at random, each of them is mapped u.a.r aswell. As a result, the probability that:
1 1 2 2 1 1 2 1
2 1 1 1 2 2 1 2 1 1 2 1
1 1 2 1 1 2 1 1 2 1
Pr | ,
Pr | ,
1Pr | ,
2
F
F
n F
w F x c w F x c c k x x k
k F x k F x c k F x k F x c c k x x k
F x k F x k F x c F x c c k x x k
(Since whatever the value of 1 1 2 1 1 F x k F x k F x c may be, the probability that
2 F x c will be the same is at most1
2 n.)
Therefore:
1 2
1 2
1 1 2 1 1 1 2 2
1 1 2 1 1 1 2 2
1Pr , |
2
1Pr , | 1
2
x x n F
x x n F
c k x x k w F x c w F x c
c k x x k w F x c w F x c
-
7/27/2019 Practical Cryptography exercise 1
6/6
And since both 1 1 2 1,c k x x k are equally likely when c is chosen u.a.r:
1 1 1 2 2 1,
1 2 1 1 1 2 2 1,
1 1Pr |
2 21 1
Pr | 2 2
nc F
nc F
c k w F x c w F x c
c x x k w F x c w F x c
Now, if 1 2 1c x x k , then:
1 2
2 1 2 1 2 1
2 1 2 1 2 1
2 1 1 1 1 2 1
Pr |
Pr |
Pr | 1
F
x x F
F
k w w e c x x k
k w F x c c x x k
k w F x k c x x k
However, if 1c k , then:
1 2
1
2 1 2 1 1 1 2 2 1
2 1 2 1 1 1 1 2 2 1
1 1 2 1 1 1 1 2 2 1
Pr |
Pr |
Pr | 0
F
x x F
x
F
k w w e w F x k w F x k
k w F x k w F x k w F x k
F x k F x k w F x k w F x k
Since 1 2 1 1 2 1 1 1 2 1 x x x k x k F x k F x k .
Therefore, the require probability is:
2 1 2 1 2 1 1 1 2 2
1 2 1 1 1 2 2 1,
Pr |
1 1Pr |
2 2
F
nc F
k w w e c x x k w F x c w F x c
c x x k w F x c w F x c