FIT5163 Use Chinese Remainder Theorem in RSA

FIT5163 Information & Computer Security

Discussion Sheet 4
Cryptography II
1. The following questions relate to the AES cipher

(a) What is the purpose of the State array?

The State array holds the intermediate results on the 128-bit block at each stage in the
processing.
(b) Briefly describe SubBytes.
Each individual byte of State is mapped into a new byte in the following way: The
leftmost 4 bits of the byte are used as a row value and the rightmost 4 bits are used as a
column value. These row and column values serve as indexes into the S-box to select a
unique 8-bit output value.
(c) Briefly describe ShiftRows.
The first row of State is not altered. For the second row, a 1-byte circular left shift is
performed. For the third row, a 2-byte circular left shift is performed. For the forth row,
a 3-byte circular left shift is performed.
(d) How many bytes in State are affected by ShiftRows?
12 bytes. Each State consists of an array of 4 4 bytes. Only Row 0 is unchanged. All
other 3 Rows are shifted, resulting in 4 3 = 12 bytes in the State affected by this
operation.
(e) Briefly describe MixColumns.
MixColumns operates on each column individually. Each byte of a column is mapped
into a new value that is a function of all four bytes in that column.
(f) Briefly describe AddRoundKey.
The 128 bits of State are bitwise XORed with the 128 bits of the round key.
(g) Briefly describe the key expansion algorithm.
The AES key expansion algorithm takes as input a 4-word (16-byte) key and produces a
linear array of 44 words (176 bytes). The expansion algorithm is defined by the diagram
in Figure 2:
The original key is copied into the first 4 words of the expanded key.
then loop creating words that depend on values in previous 4 words using the
function g:
i. RotWord performs a one-byte circular left shift on a word. This means that an
input word [b0 , b1 , b2 , b3 ] is transformed into [b1 , b2 , b3 , b0 ].
ii. SubWord performs a byte substitution on each byte of its input word, using the
S-box as shown in Figure 1, AES S-Boxes.
iii. The result of the previous two steps is XORed with a round constant which is
different at each round
the output of the function g is then XORed with wi4 and the result would be wi
which is XORed with wi3 to produce wi+1 and so on
(h) What is the difference between SubBytes and SubWord?
SubBytes operates on State, with each byte mapped into a new byte using the S-box.
SubWord operates on an input word (Key Expansion algorithm), with each byte of the
word mapped into a new byte using the same S-box as for SubBytes used on State.
(i) What is the difference between ShiftRows and RotWord?
ShiftRows operates on the rows of the State. RotWord performs a one-byte circular left
shift on a word of the key during key expansion; thus it is equivalent to the operation of
ShiftRows on the second row of State.

1
FIT5163 Use Chinese Remainder Theorem in RSA

(j) What is the difference between the AES decryption algorithm and the equivalent inverse
cipher?
For the AES decryption algorithm, the sequence of transformations for decryption differs
from that for encryption, although the form of the key schedules for encryption and
decryption is the same. The equivalent version has the same sequence of transformations
as the encryption algorithm (with transformations replaced by their inverses). To
achieve this equivalence, a change in key schedule is needed.

2. The AES key expansion algorithm takes as input a 4-word (16-byte) key and produces a
linear array of 44 words (156 bytes). AES S-boxes are shown in Figure 1. The diagram in
Figure 2 given below defines the expansion algorithm:
The function g consists of the following subfunctions:

(a) RotWord performs a one-byte circular left shift on a word. This means that an input
word [b0 , b1 , b2 , b3 ] is transformed into [b1 , b2 , b3 , b0 ].
(b) SubWord performs a byte substitution on each byte of its input word, using the S-box as
shown in Figure 1, AES S-Boxes.
(c) The result of steps 1 and 2 is XORed with a round constant, Rcon = {01 00 00 00}, in
this particular case.

0 1 2 3 4 5 6 7 8 9 A B C D E F
0 63 7C 77 7B F2 6B 6F C5 30 01 67 2B FE D7 AB 76
1 CA 82 C9 7D FA 59 47 F0 AD D4 A2 AF 9C A4 72 C0
2 B7 FD 93 26 36 3F F7 CC 34 A5 E5 F1 71 D8 31 15
3 04 C7 23 C3 18 96 05 9A 07 12 80 E2 EB 27 B2 75
4 09 83 2C 1A 1B 6E 5A A0 52 3B D6 B3 29 E3 2F 84
5 53 D1 00 ED 20 FC B1 5B 6A CB BE 39 4A 4C 58 CF
6 D0 EF AA FB 43 4D 33 85 45 F9 02 7F 50 3C 9F A8
7 51 A3 40 8F 92 9D 38 F5 BC B6 DA 21 10 FF F3 D2
8 CD 0C 13 EC 5F 97 44 17 C4 A7 7E 3D 64 5D 19 73
9 60 81 4F DC 22 2A 90 88 46 EE B8 14 DE 5E 0B DB
A E0 32 3A 0A 49 06 24 5C C2 D3 AC 62 91 95 E4 79
B E7 C8 37 6D 8D D5 4E A9 6C 56 F4 EA 65 7A AE 08
C BA 78 25 2E 1C A6 B4 C6 E8 DD 74 1F 4B BD 8B 8A
D 70 3E B5 66 48 03 F6 0E 61 35 57 B9 86 C1 1D 9E
E E1 F8 98 11 69 D9 8E 94 9B 1E 87 E9 CE 55 28 DF
F 8C A1 89 0D BF E6 42 68 41 99 2D 0F B0 54 BB 16
Figure 1: AES S-Boxes

2
FIT5163 Use Chinese Remainder Theorem in RSA

Figure 2: AES Key Expantion

Show the first eight words of the key expansion for a 128-bit key of:
44D82220E41FA6697368C0D0ACB2EB71. Show all your calculations.
Key:44D82220E41FA6697368C0D0ACB2EB71
w0 =44D82220
w1 =E41FA669
w2 =7368C0D0
w3 =ACB2EB71

Function g:
RotWord
b0 b1 b2 b3 b1 b2 b3 b0
ACB2EB71 B2EB71AC

S-Box lookup: B2 37, EB E9, 71 A3, AC 91

RCon0
37E9A391

01000000
36E9A391 : output of function g round 0

w4 = 44D82220 36E9A391 = 723181B1

3
FIT5163 Use Chinese Remainder Theorem in RSA

w5 = E41FA669 723181B1 = 962E27D8

w6 = 7368C0D0 962E27D8 = E546E708
w7 = ACB2EB71 E546E708 = 49F40C79
round 0 key: 723181B1 962E27D8 E546E708 49F40C79

44 E4 73 AC
D8 1F 68 B2
22 A6 C0 EB
20 69 D0 71
Function g

44D82220 E41FA669 7368C0D0 ACB2EB71 AC B2 EB 71

W0 W1 W2 W3 RotWord

B2 EB 71 AC

S S S S SubWord

37 E9 A3 91
RCon
RC[1]
XOR 01 00 00 00

36 E9 A3 91

XOR XOR XOR XOR

723181B1 962E27D8 E546E708 49F40C79

W4 W5 W6 W7

3. Given the plaintext: [000102030405060708090A0B0C0D0E0F] and the 128 bit key used as:
[01010101010101010101010101010101]:

(a) Show the original contents of the State, displayed as 4 4 matrix.

In AES the plaintext is 128 bits or 16 bytes, which is copied into the State array. Each
column of the 4 4 State matrix corresponds to the 4 bytes of plaintext, starting with
column 1. Hence the State matrix is:
00 04 08 0C
01 05 09 0D
02 06 0A 0E
03 07 0B 0F

4
FIT5163 Use Chinese Remainder Theorem in RSA

(b) Show the value of the State after the intial AddRoundKey.
Initial state of the matrix after the AddRoundKey is StateKey
01 05 09 0D
00 04 08 0C
03 07 0B 0F
02 06 0A 0E
(c) Show the value of the State after SubBytes.
The contents of the State byte after SubBytes (refer to Figure 1, AES S-Box) is:
7C 6B 01 D7
63 F2 30 FE
7B C5 2B 76
77 6F 67 AB
(d) Show the value of the State after ShiftRows.
The contents of the State matrix after ShiftRows:
7C 6B 01 D7
F2 30 FE 63
2B 76 7B C5
AB 77 6F 67
(e)
Show the value of
theState after MixColumns
as a multiplicationof 2 matrices.
02 03 01 01 7C 6B 01 D7 75 87 0F B2
01 02 03 01 F 2 30 F E 63 55
E6 04 22

01 01 =
02 03 2B 76 7B C5 3E 2E B8 8C
03 01 01 02 AB 77 6F 67 10 15 58 0A
4. Compare AES to DES. For each of the following elements of DES, indicate the comparable
element in AES or explain why it is not needed in AES.

(a) XOR of subkey material with the input to the f function

AddRoundKey
(b) XOR of the f function output with the left half of the block
The MixColumn step, because this is where the different bytes interact with each other.
(c) The f function
The SubBytes step, because it contributes nonlinearity to AES.
(d) Permutation P
The ShiftRow step, because it permutes the bytes.
(e) Swapping of halves of the block
There is no wholesale swapping of rows or columns. AES does not require this step
because: The MixColumn step causes every byte in a column to alter every other byte in
the column, so there is no need to swap rows; The ShiftRow step moves bytes from one
column to another, so there is no need to swap columns

5. What is triple encryption?

With triple encryption, a plaintext block is encrypted by passing it through an encryption
algorithm; the result is then passed through the same encryption algorithm again; the result
of the second encryption is passed through the same encryption algorithm a third time.
Typically, the second stage uses the decryption algorithm rather than the encryption
algorithm.

6. What is a meet-in the-middle attack?

This is an attack used against a double encryption algorithm and requires a known (plaintext,
ciphertext) pair. In essence, the plaintext, P, is encrypted to produce an intermediate value in

5
FIT5163 Use Chinese Remainder Theorem in RSA

the double encryption, and the ciphertext, C, is decrypted to produce an intermediate value
in the double encryption.

works whenever use a cipher twice

since X = E(K1 , P ) = D(K2 , C)
attack by encrypting P with all keys and store
then decrypt C with keys and match X value
can show takes O(256 ) steps instead of O(2112 ) as was expected.

Table lookup techniques can be used in such a way to dramatically improve on a brute-force
try of all pairs of keys.

7. How many keys are used in triple encryption?

Triple encryption can be used with three distinct keys for the three stages; alternatively, the
same key can be used for the first and third stage.

8. Why is the middle portion of 3DES decryption rather than an encryption?

There is no cryptographic significance to the use of decryption for the second stage. Its only
advantage is that it allows users of 3DES to decrypt data encrypted by users of the older
single DES by repeating the key.

9. What primitive operations are used in RC4?

The actual encryption involves only the XOR operation. Key stream generation involves the
modulo operation and byte swapping.

10. Using the provided RC4 key schedule algorithm shown in Figure 3 and the following 128-bit
key K=F2021BB6C7E907D06DAFE4687E579FCE, represented in hex, calculate the value of j and
S[i] for i=0 and i=1. (Note: consider the key as an array of bytes from left to right)

for i = 0 to 255 do
S[i] = i
T[i] = K[i mod keylen]
j = 0
for i = 0 to 255 do
j = (j + S[i] + T[i]) mod 256
swap (S[i], S[j])

Figure 3: RC4 key schedule algorithm

Initilizing the S array:

S[0]=0
S[1]=1
etc.
Initializing the T array:
T[0]=K[0 mod 16]=K[0]=f2
T[1]=[1 mod 16]=K[1]=02
and the 16-byte key will be repeated 16 times to fill up 256-byte array T (that is
T[0]=T[16]=T[32]=. . . =T[240]=f2
T[1]=T[17]=T[33]=. . . =T[241]=02 and so on and so forth).
for i=0 we have: j=(j + S[0] + T[0] ) mod 256 = 0 + 0 + f2 mod 256 =(f 2)hex
Then swap S[i] and S[j] so we swap S[0] and S[f2]

6
FIT5163 Use Chinese Remainder Theorem in RSA

S[f2] currently contains the value f 2hex which is (f 2)hex = 15 16 + 2 = 242 so S[0]=242
and S[242]=0
for i=1 we have: j=(j + S[1] + T[1]) mod 256 = (f 2)hex + 1 + 2 = 242 + 3 = 245
(or f5 hex)
Then swap S[1] and S[f5] same argument S[f5]=S[245]=245
S[1]=f5 and S[245]=1 after swap

11. Consider a block cipher algorithm with the following properties:

Input and output block length of 64 bits and the key size is 56 bits.
Given a key K, the key scheduling requires 2 microseconds (2 106 secs)
After the key scheduling produces all the sub-keys (if required), the encryption of a
single block of 64 bits block takes 0.5 microseconds.

Compute the following information:

The total time required (of course in microseconds) to encrypt 1MBytes (220 bytes) of
data.
First we need to find the number of 64-bit blocks in 1MByte of data as follows:
number of bits in 1MB = 220 bytes 8 bits/byte = 8, 388, 608 = 223 bits
Number of data blocks = 8,388,608
64bits
= 131, 072 blocks = 217 blocks of 64 bits each
It is now simply a matter of recognizing that the key K will be scheduled only once for
this encryption, and that we need to encrypt 131,072 blocks of data.
T ime = 2microseconds + 217 0.5microseconds = 65, 536 + 2 = 65, 538 microseconds
Given 2 values C and M such that C = EK (M ) under the unknown key value K, how
many years (at most) are required to crack the cipher on a single computer?
The second part seeks the amount of time, at most, it would take to crack the cipher
given ciphertext C and the related plaintext M. In order to do this, it is necessary to
search the entire key space. Because a key is 56 bits long
Total number of keys = 256 = 72, 057, 594, 037, 927, 936
Now we know how many keys we need to try before we find the right one, we must
recognize that we only need to test a single block of data. Then each trial requires key
scheduling plus the time to encrypt/decrypt (depending on which one you choose).
Thus, the equation becomes:
(256 (2 microseconds + 0.5 microseconds)) 106 secs 1.8 1011 secs
Translate this value into years 2, 084, 999 days 5712years

12. Consider a password system which uses all the 102 printable characters of the English (or
American) key board and the password is of 8 characters long.

How many distinct passwords are possible under the above scheme? (give the numbers
approximately as a.b 10c ).
Number of passwords = 1028 1.17 1016
If the password scheme is limited to 26 lowercase English alphabets only (still password
length remains as 8 characters), how many passwords will there be?
Number of passwords = 268 2.09 1011
If the password length is limited to 6 characters (still the number of characters is 102),
how many passwords will there be?
Number of passwords = 1026 1.12 1012

13. Think of application(s) where private key encryption may not be suitable.

7
FIT5163 Use Chinese Remainder Theorem in RSA

In a distributed system, any given host or terminal may need to make exchanges with many
other hosts and terminals over time. Thus each device needs a number of keys to share with
each party it wishes to communicate. The scale of the problem depends on the number of
communicating pairs that must be supported. If there are N hosts, the number of keys
required is N (N
2
1)
. If encryption is done at the application layer, then key is needed for
every pair of users or processes that require communication. Thus, a network may have 100s
of hosts, but 1000s of users and processes. In such situations, private key encryption may not
be appropriate.

14. Assume that passwords have length six and all alphanumerical characters, upper and lower
case, can be used in their construction. How long will a brute force attack take on average if:

(a) it takes one tenth of a second to check a password?

The number of passwords is 626 = 56, 800, 235, 584
(62 = 26 lower case alpha+26 uppercase alpha + 10 numerals)
However it is important to note that the problem asks how long it will take to find a
given password on average which implies that we need not search through the entire
space, but that we have to search through only half of that space (on average). Thus the
entire password space to search is:
56,800,235,584
2
= 28, 400, 117, 792
Time to check = 0.1 sec 28, 400, 117, 792 90 years
(b) it takes a microsecond to check a password?
Time to check = 106 sec 28, 400, 117, 792 7.9 hours

15. Passwords are entered by users and checked by computers. Thus, there has to be some
communications channel between user and computer. So far we have taken a very abstract
view of this channel and assumed that it exists and that it is adequately secure. When this
assumption is justified? When it is not justified?
There are very few times when the transmission can be considered secure. The line is secure
when it is serving a user logging into a machine locally, e.g., a keyboard cable running to a
desktop machine. The line is secure if it is on an internal LAN that only you have access to,
or that a very few (assumed trusted) individuals have access to. A line should never be
considered secure if it is somehow connected to the internet (even if is behind a firewall). In
short, a line should never be considered secure unless you can see it from origin to
destination.

16. Is the following challenge-response a good user identification system?

Every user has a calculator capable of displaying 11 digits, and every user also has a secret
10-decimal digit password. When a user wishes to authenticate himself/herself to the system,
the system generates a random 10-digit number and sends it to the user. The user (using the
calculator) computes the sum of his/her secret password (10 digits) and the random number
and returns this to the system, which then performs the same calculation (and hence verifies
the users identity).
The authentication function here is addition, and is linear, which is not a one way function.
This linear attribute to the authentication system makes discovering a password trivial. The
attacker can passively listen to a communication to:
(1) receive the random number generated by the server and sent to the user,
(2) receive the users reply which is the sum of the random number and the 10-digit password,
(3) subtract the random number from the value sent in step 2 to calculate the users password.

17. Design a protocol by which two parties who are separated by a distance can authenticate each
other. Your protocol should be useable the first time these two parties to authenticate each

8
FIT5163 Use Chinese Remainder Theorem in RSA

other.

(a) Use some of the personal information to validate the user (such as the birth date, post
code, private phone number). This method does not guarantee 100% authentication,
although in most of the cases it will be OK.
(b) Use a trusted third party (such as Australia Post, a trusted web site etc). to exchange a
secret (which can be a key or a hash function which can be used to code the response.
(c) Create public/private key and use this to establish the secret.

18. There exists a time-memory trade-off in password guessing described in Hellman (1980). Let
N be the number of possible passwords. In a precomputation step using N trial encryptions, a
2
table with N 3 entries is constructed. If you later want to find a given encrypted password,
2
you need N 3 trial encryptions. How much memory space do you need when passwords of
length 6 are chosen from a 8-bit character set? How quickly will you find the password if a
trial encryption takes one microsecond?
A Cryptanalytic Time-Memory Trade-Off Martin E. Hellman
The technique requires M memory words for table lookup and T time cycles for brute force
trial (the two extremes: exhaustive search T = N, M = 1 and table lookup T = 1, M = N ).
The paper shows that with m as memory parameter and t as time parameter in the
time-memory trade off technique M = mt and T = t2 . By choosing M = T the overal cost
2
N = mt2 which results in M = T = N 3 . The table precomputation cost is ignored (it is done
once) and it requires a chosen plaintext attack (the attacker precomputes the table using a
plaintext P0 and gets the corresponding ciphertext from the target.
For all 6, 8-bit characters passwords, one gets N 286 number of passwords however for
dictionary-based passwords, one gets far fewer.
To use the memory trade-off technique for N = 248 , the required memory space is
2
N 3 = 232 = 4 Giga entries in lookup table (the size of each entry depends on the size of one
block of the chosen plaintext which for intance in DES is 64-bit and in AES 128-bit). In the
case of DES we need 4 4 = 16 GB which is perfectly reasonable - and about 232 trial
encryptions per password are required, which should take 4295 seconds. In contrast to doing
a brute force, that would take 8.9 years, this scheme is quite efficient.
With interested students, one can have a closer look at Hellmans scheme. A detailed analysis
of its complexity is given in Serge Vaudenay:
A Classical Introduction to Cryptography, Springer, 2006, on pages 54-58. Further
developments on time-memory trade-offs can be found in:
Alex Biryukov, Adi Shamir, David Wagner: Real Time Cryptanalysis of A5/1 on a PC.
Proceedings FSE 2000, Springer LNCS 1978, pages 1-18, 2001

19. A McDonalds look alike company, which is conceived by a Monash MBA has developed with
the help of 5 chefs a number of recipes which he thinks will take the market by storm.
However, he received recently an anonymous tip stating that that three of the five chefs are
considering job offers from their competitor (of course it has to be McDonalds, however, the
tip off does not say who they are). Assuming that only those 5 chefs can use the companys
computer, which has the recipes in files and unfortunately, the Monash MBA hasnt done any
subjects from Information Technology Faculty, he does not know how to use the computer (or
its related programs). However, he wants the chefs to store the recipes so that no subset of
three can steal the complete recipes. Describe a method of storing the information so that the
above objective can be met.
Monash MBA can have a single key K for encrypting the recipe files and divide the key using
the key escrow method into 5 key shares (such as using the Shamir(4,5) threshold scheme)

9
FIT5163 Use Chinese Remainder Theorem in RSA

and distribute these shares to each chef. The 5 private keys for each chef should be derived in
such a manner that K can be derived using at least (and not less) 4 out of the five chefs keys.
That way, the 3 chefs or less will not be able to get access to all the encrypted information.

20. In a Shamir (3,5)-threshold scheme, the dealer chooses prime number p = 17, the key k = 4,
a1 = 1 and a2 = 5. What are the individual keys for the participants? Show all the working.
Dealer uses a(x) = [k + (a1 x1 ) + (a2 x2 )] mod p = [4 + (1 x) + (5 x2 )] mod 17 to
calculate the following individual keys:
First Participant: a(1) = [4 + (1 1) + (5 12 )] mod 17 = 10
Second Participant: a(2) = [4 + (1 2) + (5 22 )] mod 17 = 9
Third Participant: a(3) = [4 + (1 3) + (5 32 )] mod 17 = 1
Fourth Participant: a(4) = [4 + (1 4) + (5 42 )] mod 17 = 3
Fifth Participant: a(5) = [4 + (1 5) + (5 52 )] mod 17 = 15
21. In a Shamir (2,3)-threshold scheme using prime number 17, the value of the key for
participants 1 and 2, are 11 and 15 respectively. What is the value of the key? Show all the
working.
Solve a(x) = k + a1 x equations for x = 1 and x = 2 where
a(participant number) = participant key
for x = 1 we have a(1) = k + a1 1 = 11 mod 17 (eq1)
for x = 2 we have a(2) = k + a1 2 = 15 mod 17 (eq2)
We can multiply (eq1) by 2 hence: 2k + 2a1 = 22 mod 17 = 5 (eq3)
Then we subtract (eq2) from (eq3) hence: (2k k) + (2a1 2a1 ) = (5 15) mod 17 so we
have k = 10 mod 17
To get the positive remainder we can add modulus to the negative remainder hence:
k = 10 + 17 mod 17 = 7
(Although there is no need to calculate a1 but using either of (eq1) or (eq2) we can get
a1 = 4)

10