Sebery J.Cryptography.An introduction to computer security.1989

on other 22 vectors. More precisely, let = (001). Then S(x) S(x ) runs through vectors (010), (011), (100), (101) twice while x runs through3 once. If = (111), then S(x) S(x ) runs through vectors (001), (011), (101), (111) twice while x runs through 3 once.

Permutations de ned in GF (2n) also need to be chosen as some of them exhibit good cryptographic properties. It turns out [405] that exponentiation can produce cryptographically strong S-boxes. Being more speci c, the S-boxes S : n ! n de ned as S(x) = x3, x 2 GF (2n) where n is odd, are permutations with the following properties [405, 377, 378, 30]:

S10 Any nonzero linear combination of the coordinate functions, is balanced. This results from the fact that cubing is a permutation. Any nonzero linear combination f of the coordinate functions has a high nonlinearity and Nf

2n 1 212 (n 1).

S30 Any nonzero linear combination of the coordinate functions satis es the propagation criterion except for a single nonzero vector.

S50 S(x) has a good XOR pro le, i.e. S(x) S(x ) runs through a subset of 2n 1 vectors in n twice while x runs through n once. The remaining 2n 1 vectors do not occur.

The design of S-boxes is not free from some pitfalls. A special care needs to be exercised when a cryptographically strong S-box is modi ed by adding or reducing output bits. Consider an S-box S(x) = (f1(x); : : : ; fk(x)) which is regular and has a good XOR pro le where fi : n ! GF (2) for i = 1; : : : ; k. It turns out [462] that S(x) = (f1(x); : : : ; ft(x)) where t < k is regular but does not have a good XOR pro le.

On the other hand, for any regular S-box S(x) = (f1(x); : : : ; fk(x)) with a

good XOR pro le, there is a collection of functions fk+1(x); : : : ; fs(x) such that the extended S-box S0(x) = (f1(x); : : : ; fk(x), fk+1(x); : : : ; fs(x)) is a regular mapping from n to s but does not have a good XOR pro le.

162 3 PRIVATE-KEY CRYPTOSYSTEMS

3.7 Problems and Exercises

1.Write C programs for the implementation of the following ciphers:

{the Caesar cipher,

{the aÆne cipher,

{the monoalphabetic substitution cipher,

{the transposition cipher,

{the homophonic substitution cipher,

{the Vigenere cipher,

{the Beauford cipher.

Your programs should include routines for both encryption and decryption.

2.The Caesar cipher is relatively easy to break. Write a C program, which is rst fed by a sample text to collect statistical properties of the language. Then use the statistics to cryptanalyze a given ciphertext by comparing it with the statistics computed for the ciphertext.

3.Design and implement a C program for cryptanalysis of the aÆne cipher. Your program must not use the enumeration of all possible keys but should use the frequencies of characters to make \optimal" guesses about the key.

4.Write a computer program which calculates the index of coincidence. Run the program for di erent texts. Try an English text, a text of a high level programming language and a text of random characters generated by a pseudorandom generator. Compare and discuss the results.

the network of P-boxes and S-boxes. The P-box P : Z4 ! Z4 where P(x1; x2; x3; x4) =

26 26

(x1; x3; x2; x4) and the S-box S : Z262 ! Z262 is de ned as S(x; y) = (x + k1y mod 26; k2x + y mod 26)

where k = (k1; k2) and gcd (ki; 26) = 1 for i = 1; 2. Derive the encryption and decryption formulas for a cipher with n iterations. Analyze the cipher and try to break it under the known-plaintext attack. How the security depends on the number of iterations.

6.Consider the above product cipher with the S-box built using a Feistel permutation de ned as

S(x; y) = (x; y + k1xk2 mod 26):

Derive encryption and decryption formulas for the cipher with n iterations. Analyze the cipher for the known-plaintext attack and discuss its strength in relation to the number of iterations.

7.Design a DES type cryptosystem which encrypts 16-bit messages into 16-bit cryptograms and applies a functions f : 8e ! 8 of the form:

f (ki; Ri 1) = (ki Ri 1)

for e = 7 in GF(28). What would happen if the exponent was e = 2; 3; 4; 5; 6? Implement the cipher. Assume a reasonable key scheduling.

i = 1; 2; : : :. The sequence of cryptograms ci = Ek(mi) is subject to many attacks which exploit the lack of links between consecutive cryptograms. Consider the following chaining scheme in which ci = Ek(mi) ci 1 for i = 1; 2; : : :. Is this scheme better than the ECB mode? Justify your answer.

11.Assume that encryption applies the CBC mode and during transmission a single cryp-

togram ci = Ek(mi ci 1) has been corrupted due to a noise in the communication channel. Which messages cannot be reconstructed at the receiver side? Support your answer by a detailed analysis.

12.Suppose the sender uses the CFB mode to protect the transmitted messages against tampering with the sequence of cryptograms. Let the sender transmit a sequence of cryptograms c1; c2; c3; c4; c5; c6. An attacker has changed the order of cryptograms so the receiver gets c1; c2; c4; c3; c5; c6. Which messages will be correctly recovered by the receiver?

13.Consider GF (23) with addition and multiplication given in Table 2.2. Let an S-box be

de ned by s = f(s) = s3 in GF (23) where s 2 GF(23). Construct an XOR pro le of the S-box.

14.An S-box is de ned by Table 3.17. The XOR pro le of the S-box is given below:

164 3 PRIVATE-KEY CRYPTOSYSTEMS

The key is XOR-ed with the input of the S-box. Given two observations s1 k = 3 and s2 k = 7 and their corresponding output di erence = s1 s2 = 5, what can you tell about the key k?

15.Given a DES-type encryption algorithm which encrypts 6-bit messages into 6-bit cryptograms using four rounds. Each round applies the S-box described in Table 3.17. A subkey ki (i = 1; 2; 3; 4) is XORed to the input of the S-box where the subkey ki is used in the ith iteration. Assume some values of the subkeys and use the di erential cryptanalysis to break the algorithm.

16.Take the encryption algorithm from the previous exercise. Find the best linear approximation of the S-box outputs and derive the necessary linear characteristics. Apply the linear cryptanalysis to recover the cryptographic key.

17.Write the polynomial of a function over 3 whose truth table is (10101001).

18.Consider a Boolean function f : 3 ! such that f(x1; x2; x3) = x1x2 x1x3 x2. Find out its truth table. Is the function balanced?

19.Let f(x1; x2; x3; x4 ) = x1x2x3 x3x4 x2. Find the truth table, sequence and matrix of f, W (f), Nf and ( ) for = (1111).

20.Given two Boolean functions f(x1; x2; x3) = x1x2x3 x2 and g(x1; x2) = x1 x2. What is the distance d(f; g)?

21.Determine all aÆne functions from the set A3.

22.Find the nonlinearity of the function f(x1; x2; x3) = x1 x2x3. The function f can be extended for arbitrary number of variables. Let f(x1; : : : ; xn) = x1 x2x3 where n > 3, what is the nonlinearity of the extended function?

23.Assume that f, g and h be functions on n with W (f) = 0, W (g) = 1 and W (h) = 2n. Find the nonlinearities Nf , Ng and Nh.

24.Let f(x1; x2; x3; x4; x5) = x1x3 x2x5 x2x4x5. Determine the set of vectors < for which the function does not satisfy the SAC.

25.Prove that any function of the form f(x1; : : : ; xn) = x1x2 x3x4 xn 1xn is bent when n is even and bigger than 2.

{ If Nf = 2, then W (f) = 2.

{ d(f; f g) = 2n 1 for some linear function g. { Nf g = Nf for any linear function g.

Table 3.8. DES S-boxes

166 3 PRIVATE-KEY CRYPTOSYSTEMS

Table 3.9. Key permutation PC1

Iteration s Iteration s

Table 3.10. Key schedule of left shifts LSs

Table 3.11. Key permutation PC2

Table 3.12. Serpent S-boxes

168 3 PRIVATE-KEY CRYPTOSYSTEMS

Output XOR -

Æ0x 1x 2x 3x 4x 5x 6x 7x 8x 9x Ax Bx Cx Dx Ex Fx

No. of Chosen Analysed Complexity rounds plaintexts plaintexts of analysis

Table 3.14. Cryptanalysis of DES

Table 3.15. The truth table of f (s) = s1s2 and linear functions from L2

170 3 PRIVATE-KEY CRYPTOSYSTEMS

Combinations of Outputs

1x 2x 3x 4x 5x 6x 7x 8x 9x Ax Bx Cx Dx Ex Fx