Introduction to Cryptography

TEK 4500 (Fall 2023)

Problem Set 2

Problem 1.
Read Chapter 3 and Chapter 4 (Sections 4.8–4.10 can be skipped) in [BR].

Problem 2.
Before AES was standardized in 2001, one of the most popular block ciphers was the Data
Encryption Standard. Unlike AES, DES only have a key size of 56 bits and a block size of
64 bits.
a) Suppose you have access to a really powerful computer which runs at 10 GHz and is
capable of performing a full DES encryption on a single clock cycle. How long would it
take to brute-force a 56 bit DES key using this computer? Assume you have a number
of known plaintext-ciphertext pairs available.
b) Technically, DES actually takes a 64 bit key, it’s just that it ignores1 every eight bit. Thus
the key is effectively only 56 bit. Now suppose all of the key bits were used by DES.
How long would the attack take now?
c) After an upgrade, the computer is modified to instead perform a single AES-128 en-
cryption on every clock cycle. How long would it take to brute force an AES-128 key
using this computer? Give your answer in years.
d) How old is the universe?
e) How many of these machines would you have to use to brute-force the AES-128 key
within one year? The average cost of electricity in Norway in 2020 was 20.7 øre per
kWh. Suppose one machine uses about 4000 kWh annually. What would it cost to run
your brute-force attack? Compare with the world’s yearly gross product.
1
Actually, these bits are meant to be used for parity-checking of the key, but for security purposes this is
equivalent to simply ignoring them.

1
 Expprf
F (A)
1: b ← {0, 1}
$
2: K ← K
3: F0 ← FK
$
4: F1 ← Func[m, n]
5: b′ ← AFb (·)
?
6: return b′ = b

Advprf prf
F (A) = 2 · Pr[ExpF (A) ⇒ true] − 1

Figure 1: PRF security experiment for a function F : K × {0, 1}m → {0, 1}n .

Problem 3. [Problem 6.8 in [Ros]]

Suppose F : {0, 1}k × {0, 1}m → {0, 1}n is a secure PRF with input length m and output
length n. We want to use F to construct another PRF G that has a longer input length than
F . Below are some approaches that don’t work. For each suggestion, describe a successful
distinguishing attack and compute its PRF-advantage. That is, compute AdvprfG (A), where
A is the adversary that runs your attack. Below “∥” denotes string concatenation, e.g.
101∥01 = 10101.
a) GK (X) = FK (X ′ )∥FK (X ′′ ), where X = X ′ ∥X ′′ and X ′ , X ′′ ∈ {0, 1}m .
That is, G splits its input X ∈ {0, 1}2m into two halves X ′ , X ′′ , applies F to each half
separately, and concatenates the result. Note that G is a PRF of the form G : {0, 1}k ×
{0, 1}2m → {0, 1}2n , i.e., it has the twice the input length and twice the output length
of F .
b) GK (X) = FK (X ′ ) ⊕ FK (X ′′ ), where X = X ′ ∥X ′′ and X ′ , X ′′ ∈ {0, 1}m .
Note that G is of the form G : {0, 1}k × {0, 1}2m → {0, 1}n .
c) GK (X) = FK (X ′ ) ⊕ FK (X ′ ⊕ X ′′ ),where X = X ′ ∥X ′′ and X ′ , X ′′ ∈ {0, 1}m .
Note that G is of the form G : {0, 1}k × {0, 1}2m → {0, 1}n .
d) GK (X) = FK (0∥X ′ ) ⊕ FK (1∥X ′′ ), where X = X ′ ∥X ′′ and X ′ , X ′′ ∈ {0, 1}m−1 .
Note that G is of the form G : {0, 1}k × {0, 1}2(m−1) → {0, 1}n .

Problem 4.
Suppose F : {0, 1}128 × {0, 1}128 → {0, 1}128 is a secure PRF. For each of the following
constructions of a new PRF from F , decide whether it is also a secure PRF. If you think it’s
not, describe an attack, else, indicate why the new construction is also secure.

2
 (
0128 , if K = 0128
a) GK (X) =
FK (X), otherwise
(
0128 , if X = 0128
b) GK (X) =
FK (X), otherwise

c) GK (X) = FK (X) ⊕ 1128

d) GK (X) = FK (X) ⊕ C, where C ∈ {0, 1}128 is a fixed and public (and thus known to the
adversary) hard-coded string of some arbitrary value.

Problem 5.
In this problem we’ll look at a way of turning PRFs into PRPs. The construction is called
a Feistel network (after Horst Feistel) and is shown in Fig. 2. In detail, a Feistel network
converts a PRF F : {0, 1}k × {0, 1}n → {0, 1}n into a PRP E : {0, 1}r·k × {0, 1}2n → {0, 1}2n ,
having double the block length and r times longer key, by applying F in r rounds where
the first k bits of the key are used in the first round, the next k bits are used in the second
round, and so on.

L R

FK1

L R
FK2

FK1
L R for r rounds

FK1 FK2 FKr

L0 R0 L0 R0 L0 R0
(a) One-round. (b) Two-rounds. (c) r rounds.

Figure 2: Feistel network.

3
a) Show that the Feistel network turns any PRF F into a PRP E. That is, for all keys
K ∈ {0, 1}r·k , show that the function EK : {0, 1}2n → {0, 1}2n is invertible.
b) Let E (1) : {0, 1}128 × {0, 1}128 → {0, 1}128 denote the block cipher defined by the one-
round Feistel network shown in Fig. 2a, where F : {0, 1}128 × {0, 1}64 → {0, 1}64 is
the internal round function. Show that E (1) is not a secure PRF by demonstrating an
attack. What is the PRF-advantage of your attack? That is, what is Advprf E (1)
(A), where
A is the adversary that runs your attack?

Hint: What is E (1) (K1 , 0128 )?

c) Let E (2) : {0, 1}256 × {0, 1}128 → {0, 1}128 denote the block cipher defined by the two-
round Feistel network shown in Fig. 2b. Show that E (2) is not a secure PRF by demon-
strating an attack. What is the PRF-advantage of your attack?

Hint: it is possible to obtain a very high PRF-advantage by making two oracle queries
in the PRF experiment Expprf E (2)
(A).

d) Bonus: What can you say about the 3-round Feistel network E (3) ?

Problem 6. (Hard):
The DES block cipher introduced in Problem 2 is based on the Feistel network. Suppose
DES was only using a single round and suppose you have access to two plaintext-ciphertext
pairs (X, Y ), (X ′ , Y ′ ) (in particular, X = L0 ∥R0 and Y = L1 ∥R1 ; X ′ = L′0 ∥R0′ and Y ′ =
L′1 ∥R1′ ). Explain how you can recover the key K ∈ {0, 1}48 of this one-round version of
DES. For simplicity, assume that K is used directly in the round function F without any
key expansion first.

Hint 1: Unlike in Problem 5b), you should now exploit the concrete round function F :
{0, 1}48 × {0, 1}32 → {0, 1}32 used inside DES. The following amount of detail about the
DES round function is sufficient to answer this question (refer to Fig. 3):

• E expands 32 bits to 48 bits by copying the 32 input bits to 32 different positions in the
output, and then duplicating certain bits of the input in the remaining 16 positions
of the output.

• S1 , . . . , S8 are the DES S-boxes. By design, each S-box is a 4-to-1 function2 that maps
6 bits to 4 bits.

• P shuffles the 32 input bits around.

2
That is, for any output B of an S-box Si there are exactly four inputs A1 , A2 , A3 , A4 such that Si [Aj ] = B.

4
 Figure 3: DES round function F .

Hint 2: From the equation DES(1) (K, X) = Y work your way forward from X = L0 ∥R1
till the input of the S-boxes, and backwards from Y = L1 ∥R1 till the output of the S-boxes.
For each S-box, what is the relationship between the input and the output?

Hint 3: Some trial-and-error of candidate keys is necessary. However, it should be possible

to obtain K by trying about 48 = 216 candidate keys. Notice that this is much less than the
possibly 248 keys you would have to try by brute-force.

Problem 7.
A crucial component of round functions used in DES and AES is their S-boxes. The S-
boxes are the only non-linear parts of DES and AES. Recall that a function F is linear if
F (A + B) = F (A) + F (B) for all inputs A, B. In this exercise you are asked to validate
that the first S-box of DES, S1 , is indeed non-linear by computing the output values for a
set of input values. In particular, show that S1 (X1 ) ⊕ S1 (X2 ) ̸= S1 (X1 ⊕ X2 ) for:
a) X1 = 000000, X2 = 000001
b) X1 = 111111, X2 = 100000
c) X1 = 101010, X2 = 010101
The definition of the S1 S-box can be found here.

Extra: Write a script (e.g. in Python) that checks whether S1 is non-linear for all inputs.
Do the same for the other DES S-boxes and the AES S-box. Values for the DES and AES
S-boxes can be found online, e.g., here (DES) and here (AES).

5
References
[BR] Mihir Bellare and Phillip Rogaway. Introduction to Modern Cryptography. https:
//web.cs.ucdavis.edu/~rogaway/classes/227/spring05/book/main.pdf.

[PP] Christof Paar and Jan Pelzl. Understanding Cryptography - A Textbook for Students and
Practitioners. Springer, 2010.

[Ros] Mike Rosulek. The Joy of Cryptography, (draft Feb 6, 2020). https://web.engr.
oregonstate.edu/~rosulekm/crypto/crypto.pdf.