CMPT 404 Cryptography and Protocols Outline Solutions to Exercises on Pseudorandom Generators, Functions and Permutations.

1. (a) Which of the following functions are superpolynomial: - 2 n; - nlog n ; - n log n? (b) Prove that for every superpolynomial function T the function (T (n 3 )) 3 n3 is also superpolynomial.

1 1

(a) 2 (b) If

and nlog n are superpolynomial; n log n is not. (T (n 3 )) 3 < p(n) n3

1 1

for some polynomial p(n), then T (n 3 ) < n9 p3 (n), and T (m) < m27 p3 (m3 ), where m = n 3 . However, m27 p3 (m3 ) is a polynomial in m. 2. (optional) This exercise will unable to test your favorite pseudorandom generator. The test is based on a well known property of random integers: Given two randomly chosen integers m and n, the probability 6 they are relatively prime (their greatest common divisor is 1) is 2 . Use this property in a program to determine statistically the value of . The program should call the random number generator from the system library to generate the random integers. It should loop through a large number of random numbers to estimate the probability that two numbers are relatively prime. From this nd an approximate value of . Report the type/name of the random number generator(s), the number of pairs of numbers in your sample, and the approximate value of . How is it? 3. Suppose you have a true random bit generator where each bit in the generated stream has the same probability of being a 0 or 1 as any other bit in the stream and that the bits are not correlated; that is the bits are generated from identical independent distribution. However, the bit stream is biased. The probability of a 1 is 1/2 + , and the probability of a 0 is 1/2 , where 0 < < 1/2. A simple deskewing algorithm is as follows: Examine the bit stream as a sequence of non-overlapping pairs. Discard all 00 and 11 pairs. Replace each 01 pair with 0 and each 10 pair with 1. (a) What is the probability of occurrence of each pair in the original sequence? (b) What is the probability of occurrence of 0 and 1 in the modied sequence? (c) What is the expected number of input bits to produce k output bits? (d) Suppose that the algorithm uses overlapping successive bit pairs instead of non-overlapping successive bit pairs. That is, the rst output bit is based on input bits 1 and 2, the second output bit is based on input bits 2 and 3, and so on. What can you say about the output bit stream? Is it independent? 1
1 1

(a) Since every bit is chosen independently, the rst bit is 1 with probability 1/2 + , and is 0 with probability 1/2 . The same is true for the second vit of a pair, and it is independent of the rst bit. Thus, 00 occur with probability (1/2 )(1/2 ); 01 occurs with probability (1/2 )(1/2 + ); 10 occurs with probability (1/2 + )(1/2 ); and 11 occurs with probability (1/2 + )(1/2 + ). (b) Since the probability of 01 and 10 in the original stream are equal, 0 and 1 also occur with the same probability, that is, 1/2. (c) We consider the original stream as a sequence of pairs. The pairs are clearly independent, so to nd the expected number of bits in the output we need to nd the probability that 01 or 10 occurs. This probability equals 2(1/2 + )(1/2 ) = 1/2 2 2 . Thus, if the original stream contains n bits (assume it is even), then the expected number of output bits n (1/2 2 2 ). If we want to obain k output bits, the expected number of 2 2k original bits is 1/222 . (d) The output stream is not independent. Indeed, if some output bit is 0, that is, the original stream contains pair 01, then the next pair starts with 1. If it is 10 then the next output bit is 1. If the original stream contains several consequent 1s, then some pairs are 11 and therefore skipped. But then, the rst pair that is not skipped must be 10. In a similar way, after each 1 in the output stream we must have a 0. Thus the output stream looks like 01010101... 4. Suppose we use a full length RC4 seed (256 bytes) in the Key Scheduled Algorithm. What such a RC4 key value leaves S unchanged during the KSA? That is, after the initial permutation of S, the entries of S will be equal to the values from 0 to 255 in ascending order. The initialization phase of RC4 (that is, the KSA) works as follows: It starts with the identity permutation of bits, S[i] = i, and the key K, T [i] = K[i (mod keylength)]. Since in our case keylength = 256, we may assume T = K. Then starting from i = j = 0 it performs 256 rounds of the form j = (j + S[i] + T [i]) (mod 256) and Swap(S[i], S[j]). Therefore, if we can choose T in such a way that j = i in every iteration, the resulting S will still be the identity permutation. Clearly, in the rst iteration, i = 0, the value T [0] = 0 will do. Suppose, we are successful up to iteration i 1, that is, after considering 1 = 0, 1, . . . , i 1 the permutation S remains the identical permutation, and the current value of j is i 1. Then in round i the value of j is set to be j = j + S[i] + T [i] (mod 256) = i 1 + i + T [i] (mod 256). We want it to be i, and so we need to solve the equation i T [i] = i 1 + i + T [i] = (mod 256)

1 i (mod 256)

5. The RSA SecurID card is a credit-card sized device that displays 6 digits that change every minute. The idea is that when you log into your account remotely (say when you want to log into your UNIX account in SFU from an Internet Cafe) then you have to type the numbers that appear in the card in addition to your PIN or password. (a) What is the security advantage of such a card over traditional password? That is, what sort of attack can this card resist which cannot be resisted using a standard password mechanism. (Assume that its possible for users to remember a 6-digits PIN or a password with similar security.) (b) Describe how you would implement such a scheme using pseudorandom functions. Assume that the PRF family takes a seed of size n, and that the number of possible devices is m (for m < 2n ). How many bits of storage does your implementation use at the server and each of the devices? (there is an implementation that uses at most O(n) bits). (c) Try to dene what it means that such a scheme is secure and sketch a proof that your construction satises it (you dont have to formally dene and prove if you dont want to you can use English but try to be precise). Say how the security depends on n - the number of bits that the device stores in memory (where its running time is polynomial in n) and on k - the number of digits that we display to the user. 2

(a) This device can be used in 2 modes. First, if a block cipher is used then the device provides a pseudorandom string that can be added to a password. Second, if a stream cipher is used, the device provides an extra password that changes all the time (dont forget to replace batteries). In either case it improves the security of protocols, in which the key is not changed frequently. A possible attack in such a protocol is to intercept the encrypted password, and later use it to get access to the server. If the password effectively changes every minute this type of attack is less likely. (b) Let {fs } be a PRF and s a key assigned to each individual device. Then the device outputs fs (m) (mod 106 ) where m is the number of minutes passed since a certain moment modulo 2n . Then both, a device and the server, must store only the current time m, and a secret key s. Moreover, for the device the key can be replaced with an implementation of the function fs rather than the family {fs }. (c) The device is secure, if a polynomial time adversary ADV after seeing polynomially many pairs (m, fs (m)) does not have signicant advantage in guessing such a pair for a fresh m: Pr[ADV(m) = fk (m)] < (k). 6. Let {fs }, fs : {0, 1}n {0, 1}n be a secure PRP. Consider the family of permutations {fs }, fs : {0, 1}2n {0, 1}2n dened as follows: for any x, x {0, 1}n fs (xx ) = fs (x)fs (x x ) (xx denotes the concatenation of x and x ). Show that {fs } is not a secure PRP. It sufces to observe that fs on strings of the form x0n (that is the last n bits equal to 0) outputs fs (x)fs (x). The probability that a random function outputs such a repeated string is 21 , and therefore fs can easily be n distinguished from the random function. 7. Let {fs } be a pseudorandom permutation collection, where for s {0, 1}n , fs is a permutation over {0, 1}m . Consider the following scheme (E, D) that encrypts m/2-bit messages in the following way: on input x {0, 1}m/2 , Ek chooses r at random from {0, 1}m/2 and outputs fk (x, r) (where comma denotes 1 concatenation), on input y {0, 1}m/2 , Dk computes (x, r) = fk (y) and outputs x. Give an idea of a proof that (E, D) is a CPA-secure encryption scheme. Suppose that there is a polynomial time Eve that breaks the scheme. as in the proofs of CPA-security we use Eve to distinguish {fs } and a random function. First we observe that if we use a random function g in the scheme instead of {fs } then the scheme becomes CPA-secure. Indeed, since Alice adds a random part to the plaintext, the outputs Eve obtains for her queries are just random strings that carry no information. Thus the only way to make a choice between plaintexts P1 , P2 is to choose one at random. The probability to guess it correctly is 1/2. Now let a distinguisher Dist is given an access to a black box G(x) that can be either fs for a certain s or F . The distinguisher works as follows: it runs Eve; when Eve sends two plaintexts P1 , P2 it selects Pi at random, chooses a random string r {0, 1}m/2 and returns G(Pi , r); every time Eve makes a request to encrypt P , it chooses a random string r {0, 1}m/2 and returns G(P, r); when makes her decision j, it outputs 1 if i = j and 0 if i = j. The probability that i = j in the game with a truly random function equals 1/2. In the game with the PRF the probability to get 1 is greater than (m) for some polynomial (m). Therefore |Pr[Dist(Game 1) = 1] Pr[Dist(Game 2) = 1] (m), and Dist distinguishes between a random function and the PRF. A contradiction.

8. Prove that AES is a permutation Consider every step of AES encryption, and show it is invertible. First step, s := P k0 is obviously invertible, as P = s k0 . Now we consider each step in each of the rounds of AES. For the S-box invertibility follows from the property of multiplication dened: every element has an inverse. Since S(a) = a1 , the inverse function is S itself. Shift-rows is just a permutation of bytes, and clearly invertible. mix-cols is dened through multiplication by a certain matrix A. Check that the determinant of this matrix is 38. Therefore, there is A1 that guarantees invertibility. 9. Consider a Feistel network composed of 16 rounds with a block length of 128 bits and a key of length of 128 bits. Suppose that, for a given key k , the key scheduling algorithm determines values for the rst 8 subkeys, k1 , k2 , . . . , k8 , then sets k9 = k8 , k10 = k7 , k11 = k6 , ..., k16 = k1 .

Suppose you have a ciphertext C. Explain how, with access to the encryption algorithm as a black box, you decrypt C and determine the plaintext P using just a single query. This shows that such a cipher is vulnerable to a chosen plaintext attack. Hint: You may need to read about general properties of block ciphers based on Feistel network (Stallings book). As an optional exercise try to show that DES satises the required property. 10. (optional) Given a PRF {fs }, fs : {0, 1}|s| {0, 1}|s| , construct a PRF {gs } with gs : {0, 1}|s| {0, 1}2|s| , which is a secure PRF as long as {fs } is secure. The idea of Feistel networks is that the decryption algorithm is the same as the encryption one, only using the subkeys in the reverse order. However, the subkey generation algorithm described in the problem the reverse order of subkeys is the same as the original one. Thus the encryption algorithm used as a black box decrypts ciphertext. On a more detailed level a Feistel network divides an input string into two halves, L0 , R0 , and then updates the halves using the following rules: On round i it starts with strings Li1 , Ri1 and sets Li = Ri1 , Ri = Li1 F (Ri1 , Ki ),

where F is a round function (xed, realized through S-boxes), and Ki is the i-th round subkey. Now, we have to show that Ri1 = Li , Li1 = Ri F (Li , Ki ). (This means that applying the algorithm and swapping the two halves we in the end obtain the plaintext.) The rst equation is obvious; to obtain the second we observe that Li = Ri1 , and so F (Li , Ki ) = F (Ri1 , Ki . The second equation follows.