Cryptography: Theory and Practice:The Data Encryption Standard
 | Cryptography: Theory and Practice by Douglas Stinson CRC Press, CRC Press LLC ISBN: 0849385210 Pub Date: 03/17/95 |
| Previous | Table of Contents | Next |
3.7 Notes and References
A nice article on the history DES is by Smid and Branstad [SB92]. Federal Information Processing Standards (FIPS) publications concerning DES include the following: description of DES [NBS77]; implementing and using DES [NBS81]; modes of operation of DES [NBS80]; and authentication using DES [NBS85].
Some properties of the S-boxes are studied by Brickell, Moore, and Purtill [BMP87].
The DEC DES chip is described in [EB93]. Wiener’s key search machine was described at CRYPTO ’93 [WI94].
The time-memory trade-off for DES is due to Hellman [HE80]. A more general time-memory trade-off is presented by Fiat and Naor in [FN91].
The technique of differential cryptanalysis was developed by Biham and Shamir [BS91] (see also [BS93A] and their book [BS93], where cryptanalysis of other cryptosystems is also discussed). Our treatment of differential cryptanalysis is based largely on [BS93].
Another new method of cryptanalysis that can be used to attack DES and other similar cryptosystems is the linear cryptanalysis of Matsui [MA94, MA94A].
Descriptions of other substitution-permutation cryptosystems can be found in the following sources: LUCIFER [FE73]; FEAL [MI9 1]; REDOC-II [CW91]; and LOKI [BKPS90].
Exercises
- 3.1 Prove that DES decryption can be done by applying the DES encryption algorithm to the ciphertext with the key schedule reversed.
- 3.2 Let DES(x, K) represent the encryption of plaintext x with key K using the DES cryptosystem. Suppose y = DES (x, K) and y′ = DES (c(x), c(K)), where c(·) denotes the bitwise complement of its argument. Prove that y′ = c(y) (i.e., if we complement the plaintext and the key, then the ciphertext is also complemented). Note that this can be proved using only the “high-level” description of DES — the actual structure of S-boxes and other components of the system are irrelevant.
- 3.3 One way to strengthen DES is by double encryption: Given two keys, K1 and K2, define
(of course, this is just the product of DES with itself). If it happened that the encryption function 
was the same as the decryption function 
, then K1 and K2 are said to be dual keys. (This is very undesirable for double encryption, since the resulting ciphertext is identical to the plaintext.) A key is self-dual if it is its own dual key. - (a) Prove that if C0 is either all 0’s or all 1’s and D0 is either all 0’s or all 1’s, then K is self-dual.
- (b) Prove that the following keys (given in hexadecimal notation) are self-dual:
0101010101010101
FEFEFEFEFEFEFEFE
1F1F1F1F0E0E0E0E
E0E0E0E0F1F1F1F1- (c) Prove that if C0 = 0101 . . . 01 or 1010 . . . 10 (in binary), then the x-or of the bitstrings Ci and C17-i is 1111 . . . 11, for 1 ≤ i ≤ 16 (a similar statement holds for the Di’s).
- (d) Prove that the following pairs of keys (given in hexadecimal notation) are dual:
E001E001F101F101
FE1FFE1FFE0EFE0E
E01FE01FF10EF10E01E001E001F101F1
1FFE1FFE0EFE0EFE
1FE01FE00EF10EF1 - (b) Prove that the following keys (given in hexadecimal notation) are self-dual:
- 3.4 A message authentication code (MAC) can be produced by using CFB mode, as well as by using CBC mode. Given a sequence of plaintext blocks x1 . . . xn, suppose we define the initialization vector IV to be x1. Then encrypt x2 . . . xn using key K in CFB mode, obtaining y1 . . . yn-1 (note that there are only n - 1 ciphertext blocks). Finally, define the MAC to be eK(yn-1). Prove that this MAC is identical to the MAC produced in Section 3.4.1 using CBC mode.
- 3.5 Suppose a sequence of plaintext blocks, x1, . . . xn, is encrypted using DES, producing ciphertext blocks y1 . . . yn. Suppose that one ciphertext block, say yi, is transmitted incorrectly (i.e., some 1’s are changed to 0’s and vice versa). Show that the number of plaintext blocks that will be decrypted incorrectly is equal to one if ECB or OFB modes were used for encryption; and equal to two if CBC or CFB modes were used.
- 3.6 The purpose of this question is to investigate a simplified time-memory trade-off for a chosen plaintext attack. Suppose we have a cryptosystem in which
, which attains perfect secrecy. Then it must be the case that 
implies K = K1. Denote 
. Let x be a fixed plaintext. Define the function g : Y → Y by the rule g(y) = ey(x). Define a directed graph G having vertex set Y, in which the edge set consists of all the directed edges of the form (yi, g(yi)), 1 ≤ i ≤ N. - (a) Prove that G consists of the union of disjoint directed cycles.
- (b) Let T be a desired time parameter. Suppose we have a set of elements Z = {z1, . . . , zm} ⊆ Y such that, for every element yi ∈ Y, either yi is contained in a cycle of length at most T, or there exists an element zj ≠ yi such that the distance from yi to zj (in G) is at most T. Prove that there exists such a set Z such that
so |Z| is O(N/T)
- (c) For each zj ∈ Z, define g-T (zj) to be the element yi such that gT (yi) = zj, where gT is the function that consists of T iterations of g. Construct a table X consisting of the ordered pairs (zj, g-T (zj)), sorted with respect to their first coordinates.
A pseudo-code description of an algorithm to find K, given y = eK (x), is presented in Figure 3.15. Prove that this algorithm finds K in at most T steps. (Hence the time-memory trade-off is O(N).)
Figure 3.15 Time-memory trade-off
Figure 3.16 Differential attack on 4-round DES- (d) Describe a pseudo-code algorithm to construct the desired set Z in time O(NT) without using an array of size N.
- (b) Let T be a desired time parameter. Suppose we have a set of elements Z = {z1, . . . , zm} ⊆ Y such that, for every element yi ∈ Y, either yi is contained in a cycle of length at most T, or there exists an element zj ≠ yi such that the distance from yi to zj (in G) is at most T. Prove that there exists such a set Z such that
- 3.7 Compute the probabilities of the following 3-round characteristic:
- 3.8 Here is a differential attack on a 4-round DES. It uses the following characteristic, which is a special case of the characteristic presented in Figure 3.10:
- (a) Suppose that the following algorithm presented in Figure 3.16 is used to compute sets test2, . . . test8. Show that Jj ∈ testj for 2 ∈ j ∈ 8.
- (b) Given the following plaintext-ciphertext pairs, find the key bits J2, . . . , J8.
plaintext ciphertext
18493AC485B8D9A0 E332151312A18B4F 38493AC485B8D9A0 87391C27E5282161
482765DDD7009123 B5DDD8339D82D1D1 682765DDD7009123 81F4B92BD94B6FD8
ABCD098733731FF1 93A4B42F62EA59E4 8BCD098733731FF1 ABA494072BF411E5
13578642AAFFEDCB FDEB526275FB9D94 33578642AAFFEDCB CC8F72AAE685FDB1
- (c) Compute the entire key (14 key bits remain to be determined, which can be done by exhaustive search).
- (b) Given the following plaintext-ciphertext pairs, find the key bits J2, . . . , J8.
- 3.2 Let DES(x, K) represent the encryption of plaintext x with key K using the DES cryptosystem. Suppose y = DES (x, K) and y′ = DES (c(x), c(K)), where c(·) denotes the bitwise complement of its argument. Prove that y′ = c(y) (i.e., if we complement the plaintext and the key, then the ciphertext is also complemented). Note that this can be proved using only the “high-level” description of DES — the actual structure of S-boxes and other components of the system are irrelevant.
| Previous | Table of Contents | Next |
Copyright © CRC Press LLC
EAN: 2147483647
Pages: 133
- The Second Wave ERP Market: An Australian Viewpoint
- Enterprise Application Integration: New Solutions for a Solved Problem or a Challenging Research Field?
- Distributed Data Warehouse for Geo-spatial Services
- Healthcare Information: From Administrative to Practice Databases
- Relevance and Micro-Relevance for the Professional as Determinants of IT-Diffusion and IT-Use in Healthcare