Technische Unviversiteit Delft

Faculteit Elektrotechniek, Wiskunde en Informatica

Afdeling Mediamatica
Basiseenheid Informatie- en Communicatietheorie

CRYPTOGRAPHY (ET4271)
Exam, Friday March 26, 2004, 14.00 - 17.00

Belangrijk:
Dit tentamen bestaat uit 4 opgaven. Aangezien het tentamen bij het nakijken wordt uitgesplitst
per opgave, dient u elke opgave op een nieuw vel papier te beginnen.
Vergeet vooral niet om elk vel van uw naam en studienummer te voorzien!
Dit tentamen is in het Engels. Als er problemen zijn met het begrijpen van de Engelse
vraagstelling, aarzel dan niet om hulp te vragen aan de surveillanten.

Important:
This exam exists out of 4 questions. Write the answers for each question on a separate sheet of
paper. This is necessary because for correction the questions are separated. Do not forget to put
your name and student number on every sheet of paper.

Question 1.
In order to generate keys for symmetric systems a linear feedback shift register (LFSR) is
used as a pseudo-random generator. Assume a LFSR with 4 sections with feedback
function f(x0, x1,x2, x3)= x0+x1. The initial state of the LFSR is given by 1001.
a) Give the first 16 elements of the sequence which is generated by the LFSR.
b) Show whether this sequence satisfies the postulates of Golomb.
Assume that the output of the foregoing LFSR is used for a one-time pad (with plaintext
length > 100).
c) In the case that RSA is used for key transport, explain what information of the
LFSR should be encrypted by RSA, and how this information should be
represented in a way which enables application of RSA.
Assume that application of the one-time pad leads to a ciphertext with the first elements
given by C=1010001110
d) What are the corresponding elements of the plaintext M? Show that it is an
‘absolutely secure’ system in the sense that H(M/C)=H(M).
If the LFSR with feedback function and initial state as given above is used for e.g. a
Rijndael key of 128 bits.
e) Show whether this key of 128 bits is a (pseudo-)random key in the sense of
Golomb?

1/4
Question 2.
Within a network it is required that communication is such that message authentication is
guaranteed. In order to obtain message authentication a public key system is used.
Consider Alice and Bob. Alice wants to send a data file M to Bob. She generates the
following ciphertext: C1 = ePB(dSA(M//A)).
PB and SA are the public key of Bob and the secret key of Alice, respectively. A is
personal information of Alice; name, address etc.
a) Explain why personal information A has been added to M?
b) What can be said about the strength of the system if Alice changes the order of
encryption and decryption, i.e. instead of C1 = ePB(dSA(M//A)), she computes C1
= dPB(eSA(M//A)). Make a distinction between the use of RSA or Elliptic Curves
(El Gamal).
In the following it is assumed that Alice and Bob apply RSA. Alice uses the primes p=2,
q=11, whereas her public key part is equal to e=7. In the same way Bob has also his own
p, q, and e.
c) Assume Alice and Bob had selected the same primes p and q, but they do not
know this from each other. Discuss whether this will effect the strength of the
system?
Let us now assume further that for Bob: p=5, q=13 and that his secret key is equal to
d=29.
d) Compute the public key of Bob by using the Euclidean algorithm (!).
e) Compute the secret key of Alice.
f) For the case that (M//A) = 8, give C1 = ePB(dSA(M//A)) and show the
intermediate computations.
g) Show what computations Bob should perform in order to decrypt and verify the
message.

Question 3.
Rijndael is chosen as the Advanced Encryption Standard and and will be the most
important symmetric algorithm for the future. It exists out of several operations that are
repeated a number of times. This question is about these operations and the usage of
Rijndael.
In Rijndael the input block and key are represented by hexadecimal numbers in matrices.
The following 192-bits input block is given:
INPUT: 77 CA D3 89 11 14 18 52 5A B6 79 AD F7 83 21 2A C4 D9 F3 4D 6D 7C 89
12
The 128-bits key that is used is:
KEY: 01 AB F9 27 38 AF 7D E2 73 89 10 BE 9A 14 61 C7

a) Write the above input block and key into the matrix representation of Rijndael.

One of the operations in Rijndael is called SubBytes; substitution of bytes by other bytes.
This can be seen as an operation where each value is replaced by its corresponding value
of the S-box. To gain more insight in the security of Rijndael it is useful to know how the
S-box is generated. This is done as follows. First the multiplicative inverse in GF(28) is
calculated using the irreducible polynomial

2/4
 f ( x ) = x8 + x 4 + x 3 + x + 1
b) Represent element a=’1E’ as a polynomial and prove that the multiplicative
inverse of element a with irreducible polynomial f(x) (i.e. mod f(x)) is given by
a −1 = ( x 7 + x 6 + x 5 + x3 + x 2 + x) mod f ( x) .

The second and final step to compute an element of the S-box is to compute y, which is
the S-box output value in bits, given by:
 y0  1 0 0 0 1 1 1 1  x0  1 
y      
 1  1 1 0 0 0 1 1 1  x1  1 
 y2  1 1 1 0 0 0 1 1  x2  0 
      
 y3  = 1 1 1 1 0 0 0 1  x3  + 0 
 y4  1 1 1 1 1 0 0 0   x4  0 
      
 y5   0 1 1 1 1 1 0 0   x5  1 
 y   0 0 1 1 1 1 1 0   x  1 
 6   6  
 y7   0 0 0 1 1 1 1 1   x7   0 
, and where vector x is the inverse calculated in b) and represented in bits.
c) What is the importance of the S-box in Rijndael with respect to security?

d) Compute the S-box output value when the input is the multiplicative inverse of
element a=’1E’.

With the help of the key the subkeys for the various rounds are computed. The initial key
is W0,W1,W2.W3, where W0 is the first column of the key matrix etc. For W4 it holds that:
W4 = W0 ⊕ SubBytes ( S1W3 )
Let the elements of column W3 be a,b,c,d. S1 means a cyclic shift of W3 to obtain b,c,d,a.
The S-box is given by
y
0 1 2 3 4 5 6 7 8 9 a b c d e f
0 63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76
1 ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0
2 b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15
3 04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 75
4 09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84
5 53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf
6 d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8
7 51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d2
x
8 cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73
9 60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db
a e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79
b e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08
c ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a
d 70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e
e e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df
f 8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16

3/4
 e) Compute the first byte of W4 based on the information above.

f) What will be the length of the subkey of round 1? Explain your answer.

Question 4.
This exercise is about the information theoretic approach of cryptology. The following
notation is used; the letter M denotes the plain text, C the cipher text and K the key.

a) Proof the following:

H (M / C ) = H (K / C ) − H (K / M , C )

b) Explain what is meant with the term “cryptographic dilemma”, which is

represented by the equation given in a)

Assume the following memoryless source that generates symbols of an alphabet with 8
elements: A=(a1,a2,a3,a4,a5,a6,a7,a8) with probabilities:

1 1 1 1 1 1 1 1 
p= , , , , , , , 
 2 4 8 16 32 64 128 128 

c) Give the expression for the unicity distance in case the output of the message
source is encrypted by a Ceasar cipher. Compute this unicity distance for the
memoryless source given above.

d) Compute the unicity distance in case a Vigenere cipher (poly-alphabetic

substitution) is used with key length 5 (i.e. 5 columns of the Vigenere tableau are
used) and for which all keys equiprobable. How does this relate to the expression
given in c)? Explain your answer (max. 40 words).

e) From the expression for the unicity distance it can be seen that it is wise to
remove the redundancy. This is done by using data compression techniques. Apart
from data compression the sender of the message also wants to encrypt the
message and add an error-correcting code such that it is resistant against faults
made during transmission. Give the correct order of these operations and give a
short explanation.

4/4