CS641 Mid Semester

Modern Cryptology
Indian Institute of Technology, Kanpur Examination
Group Name: 261 Submission Deadline:
Kurt Gödel (280406), Bertrand Russell March 1, 2022, 23:55hrs
(180572), Alonzo Church (140603)

Question 1
Consider a variant of DES algorithm in which all the S-boxes are replaced. The new S-
boxes are all identical and defined as follows.

Let b1 , b2 , · · · , b6 represent the six input bits to an S-box. Its output is b1 ⊕ (b2 ·
b3 · b4 ), (b3 · b4 · b5 ) ⊕ b6 , b1 ⊕ (b4 · b5 · b2 ), (b5 · b2 · b3 ) ⊕ b6 .

Here ’⊕’ is bitwise XOR operation, and ’·’ is bitwise multiplication. Design an algorithm
to break 16-round DES with new S-boxes as efficiently as possible.

Solution

1
Question 2
Suppose Anubha and Braj decide to do key-exchange using Diffie-Hellman scheme ex-
cept for the choice of group used. Instead of using Fp∗ as in Diffie-Hellman, they use Sn ,
the group of permutations of numbers in the range [1, n]. It is well-known that |S| = n!
and therefore, even for n = 100, the group has very large size. The key-exchange happens
as follows:

An element g ∈ Sn is chosen such that g has large order, say l. Anubha ran-
domly chooses a random number c ∈ [1, l − 1], and sends gc to Braj. Braj
choses another random number d ∈ [1, l − 1] and sends gd to Anubha. Anubha
computes k = ( gd )c and Braj computes k = ( gc )d .

Show that an attacker Ela can compute the key k efficiently.

Solution

Basic Idea
We observe that the underlying assumption for the DH scheme over symmetric group is
Discrete logarithm problem over symmetric group Sn . Suppose O denotes the oracle for
computing the h = gα for a given g and α, and O −1 denotes the oracle for computing the
discrete log, that is for a given h and g, it will compute α.
In the problem Anubha (A) and Braj (B) run the oracle O privately to compute gc and
gd respectively. Our task is to design a oracle O −1 which will runs in polynomial time
and computationally feasible to retrieve c and d. After computing c and d, we will invoke
(( g, c · d)) to the oracle O for computing gc·d . Hence, we able to solve the question.
The next section roughly sketched the idea for constructing O −1 . Later complexity
analysis has been carried out. The discussion ends with a mathematical justification of
our claims.

Cryptanalysis
As we know that g and h are publicly available and goal is to compute α. Any elements
e ∈ Sn can represented via cycle notation or a list of images [e(1), e(2), · · · , e(n)].

GP 261 2
Phase: 1 Suppose g and h can be decomposed into disjoint cycles

g = g1 ◦ g2 ◦ · · · ◦ g r

h = h1 ◦ h2 ◦ · · · ◦ h s

where ◦ denotes the composition operation. Note that each every i ∈ {1, 2, · · · , n}
lies in exactly one cycle.

• Time Complexity: The decomposition techniques requires O(n)-time. Without loss

of any generality we are assuming that g acts on 1, 2, · · · , n. Let us start from i = 1,
do a look-up and compute the image of i under g. Now, when image is equal to i,
stop the cycle and do i + 1, and for image not equal to i, append g(i ) at the end of
the cycle and repeat the process for index i. So at most n look up is required.

Phase: 2 Maintaining arrays G and H.

– The i-th index of G [i ] contains

1. the index j of the cycle g j having i
2. the location of i within this cycle (1 ≤ i ≤ n)
Basically G [i ] can be consider as a tuple ( j, p(i )) which illustrates that element
i appears in cycle g j at a position p(i ).
– In similar fashion H [i ] will be constructed. Like above H [i ] = (k, p(i )) means
that element i appears in cycle hk at location p(i ). So H [i ] contains:
1. the index k of the cycle hk having i
2. the location of i within this cycle (1 ≤ i ≤ n)

• Time Complexity: The arrays G and H each of them have 2n integers. Clearly
construction of G and H require O(n) time.

Phase: 3 Again maintain two array called X [k ], Y [k ], where X [k ] has the first element of each
cycle hk of h and Y [k] has the second element of each cycle hk of h. Note that X [k ] =
Y [k ] holds for length-one cycles. Our previously constructed array G helps to find
the cycle of g containing X [k ] and Y [k ] each k ∈ [n]. Use array Z [k] to maintain the
difference between their location that means Z [k ] = p(Y [k ]) − p( X [k]) for all k ∈ [n].
Then we calculate the length of the cycle containing the element i and put it in the
array W.

GP 261 3
 • Time Complexity:Since gα has at most n-cycle, so size of X [k] and Y [k] is at most
n. Clearly X [k ] and Y [k ] lies to the same cycle gk′ of g for some k′ . To perform this,
needs a look up in array G to identify which cycle of g the value X [k ] lies. Thus it
requires O(n) look up. Look up the location numbers of Y [i ] and X [i ] and subtract.
This needs O(n) operations and O(n) look up.

Phase: 4 To obtain the value of α, we need to call CRT. Because, right now we got

α ≡ Z [i ] mod W [i ] for 1 ≤ i ≤ | Z |.

So we have at most | Z-linear equations, where for any i, j gcd(Wi , Wj ) ̸= 1

• Time Complexity: Here we analyze the time complexity for computing n-modular
linear equation. Let us consider first two linear congruences

α ≡ Z [1] mod W [1]

α ≡ Z [2] mod W [2].

Suppose α1 be the solution of two linear equations. That means α ≡ α1 mod (lcm(W [1], W [2])).
Solving these two linear equations use extended Euclidean algorithm, which need
O(log(W [1]) · log(W [2])) time. That is the best time complexity is O(log2 n)
Now again
α ≡ α1 mod (lcm(W [1], W [2]))

α ≡ Z [3] mod W [3].

Suppose α2 denote the solution of above two linear equations. Like above, com-
puting α2 needs O(log2 n) time. Thus to solve | Z | ≈ O(n) equations, we need to
perform (n − 1) times extended Euclidean algorithm. Thus the time complexity

n −1
O( ∑ k · log2 n) = O(n2 log2 n).
k =1

Hence the time complexity for computing α is O(n2 log2 n).

Correctness

GP 261 4
References

GP 261 5