Cryptography

Part I

2014/05/06

(3 points each)

1. Which is the order of [

A. 2

Midterm Exam

B. 3

] in the general linear group GL2(Z3)?

C. 4

2. Which multiplicative group is cyclic?

A. Z8*
B. Z10*
C. Z12*

D. 6

E. None of the above

D. Z15*

E. None of the above

3. Which irreducible polynomial over GF 5 is primitive?

A. x2 + 2
B. x2 + 3
C. x2 + x +1
D. x2 + x + 2

E. None of the above

4. Each S-box of DES maps an m-bit input to an n-bit output. Which is (m, n)?
A. (4, 4)
B. (4, 6)
C. (8, 6)
D. (8, 8)
E. None of the above
5. A chained Galois field multiplication is performed for authentication in Galois
Counter Mode (GCM). Which Galois field is this multiplication performed in?
A. GF(28)
B. GF(232) C. GF(264)
D. GF(2128)
E. None of the above
6. Which quotient ring is isomorphic to GF 81?
A. GF 3 [ x] / < x4 + x + 2 >
B. GF 3 [ x] / < x4 + 1 >
C. GF 3 [ x] / < x4 + 2 x +1 >
D. GF 3 [ x] / < x4 + 2 >

E. None of the above

7. According to Steins Recursion, which is gcd(7031, 4717) reduced to?

A. gcd((7031 + 4717)/2, 4717) B. gcd((7031 + 4717)/2, (7031 4717)/2)
C. gcd((7031 4717)/2, 4717) D. gcd(7031 4717, 4717)
E. None of the above
8. Confusion and diffusion are two primitive operations with which strong
encryption can be built. Which is the operation of confusion in AES?
A. Byte Substitution
B. Shift Rows
C. Key Addition
D. Mix Column
E. None of the above
9. Which is the additional property for the output of CSPRNG (Cryptographically
Secure Pseudorandom Number Generator) in contrast to general PRNG?
A. Has good statistical properties
B. Based on physical random process
C. Computed in a recursive way
D. Unpredictable
E. None of the above

10. Which mode of operation

is shown as the figure?
A. CBC
B. OFB
C. CFB
D. CTR
E. None of the above
xj : plaintext
cj : ciphertext

Encryption

Part II

Decryption

(3 points each)

a = 11 and b = 12 is the pair of integers satisfying 53 a + 128 b = 1,

where a is the least positive one. If an affine cipher has the encryption formula
y = 53 x + 31 mod 128, where x, y Z128 are plaintext and ciphertext respectively,
then the decryption formula is x = 13 mod 128.
To show that 7 is a generator of the multiplicative group Z41*, it is sufficient to
verify 7 m 1 and 7 n 1 where 0 < m < n. We have (m, n) = ( 14 , 15 ).
The Galois field GF32 is unique up to isomorphism.
GF32 consists of all roots of f (x) = 16 over GF2.
GF32 can be represented by the quotient ring K = GF2 [x] / < x5 + x4 + g (x) >,
where g (x) = 17 is a polynomial of degree 2 over GF2.
h (x) is a polynomial of degree 4 over GF2 satisfying the relation of cosets
[x 2014] = [h (x)] in K, then h (x) = 18 .
Consider an LFSR of degree 161 generated by a primitive polynomial (degree 161).
The period of its output sequence is 19 .
As soon as an attacker knows 20 consecutive output bits, the polynomial
can be constructed by merely solving a system of linear equations, hence the
output sequence of such an LFSR is predictable.
A simple PRNG, Linear Congruential Generator, is generated by a recursive
formula Si +1 = A Si + B mod m, where A, B, and the seed S0 are kept secret.
Suppose m = 64, and the first three outputs S1 = 15, S2 = 22, and S3 = 13 are
obtained, then A = 21 , B = 22 , and S4 = 23 . All the following output
Sis are predictable, which is very bad for cryptographic applications.

 Among ECB, CBC, OFB, CFB, and CTR, select a mode of operation to satisfy
the following property respectively.
Using only the encryption function of a block cipher, 24 can be parallelized
for both encryption and decryption.
25 makes a block cipher generating keystream into a self-synchronizing (or
asynchronous) stream cipher.
Complete the table for DES, Triple DES (3DES), and AES:
Key Length (bits)
Block Length (bits)
Number of Rounds
Number of Different S-box(s)

DES
56

Triple DES
112
168
64

128

16

48

28

The S-box of AES is constructed as follows.

bi,j
ai,j ai,j1 bi,j
y 1
ai,j ai,j1 = 1 (mod x8 + x4 + x3 + x + 1) but 01 = 0 y 1
y 1
Affine transformation: ai,j1 bi,j

y 1
Complete the last mapping in hexadecimal:
y 1

00 00 63 [= (01100011)2]
y 0
y 0

01 01 7C [= (01111100)2]

y 0

07 29 30
0

2
3
4

5
6

Part III

AES
192
27
12
1

26
14

ai,j1
0 0 0 1 1 1 1 x0 1
1 0 0 0 1 1 1 x1 1
1 1 0 0 0 1 1 x2 0

1 1 1 0 0 0 1 x3 0

1 1 1 1 0 0 0 x4 0

1 1 1 1 1 0 0 x5 1
0 1 1 1 1 1 0 x6 1

0 0 1 1 1 1 1 x7 0

(Write down all details of your work)

31

(3 points) Find all generators of the multiplicative group Z11*, i.e., primitive
roots modulo 11.

32

(7 points) Consider Double DES with 64-bit block size and 112-bit key size.
(1) Given a plaintext-ciphertext pair (x1, y1) encrypted by a key k.
a) Explain the Meet-in-the-Middle Attack to find k.
b) What is its complexity of encryptions and decryptions?
c) What is its complexity of storage?
d) What is the expected number of false keys (or false positive results)?
(2) Given another plaintext-ciphertext pair (x2, y2) encrypted by the same key k.
What is the expected number of false keys?

Cryptography

Midterm Exam

Name: __________
1

31 & 32

Department: ________
3

2014/05/06

Student ID#: __________

7

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

Cryptography

Midterm Exam

2014/05/06

Solution
1

10

11

12

13

14

15

29

12

29 ( y 31)

20

16

17

18

19

20

x32 x

x2 + x + 1

x4 + x3 + x + 1

2161 1

322

21

22

23

24

25

17

23

52

CTR

CFB

26

27

28

29

30

256

128

10

D1

C5

31
2, 6, 7, 8
32
(1)
(2)

b) 257 c) 256 d) 2112 64 = 248

2112 642 = 2 16