Cryptography

Question Paper

October 6, 2022

1
0.1 Answer Key
1. Let EK denote a function from Z26 → Z26 , where K ∈ Z26 denotes the key. Which of the
following function(s) can be used as encryption function(s) and which cannot be:
EK (M ) ≡ M mod 26, EK (M ) ≡ K mod 26, EK (M ) ≡ (M + K) mod 26,
EK (M ) ≡ M · K mod 26. Justify your answer 3

Solution 0.1. • EK (M ) ≡ M mod 26, and EK (M ) ≡ (M + K) mod 26 can be used as

encryption function; because these are one-to-one function ∀ K ∈ Z26 .

• EK (M ) ≡ K mod 26 and EK (M ) ≡ M · K mod 26 cannot be used as encryption

function ∀ K ∈ Z26 ; because these are not one-to-one function. So, after receiving
the ciphertext at the receiver will not be able decrypt the message correctly. However,
EK (M ) ≡ M ·K mod 26 can be used as encryption function for all K, 3 gcd(K, 26) = 1.

2. Suppose you want to encrypt the following message (consider ‘space’ as a character) using
AES in CBC mode. Write down the input block(s) including padding
THE THAW IN LADAKH 2

Solution 0.2. • The first block is THE THAW IN LADA

• The second block is KH||0E||0E||0E||0E||0E||0E||0E||0E||0E||0E||0E||0E||0E||0E

3. Write down the name of the modes of operation (mentioned in your syllabus) which do not
require padding. [‘-0.5’ for writing each wrong answer] 2

Solution 0.3. • Cipher Feedback (CFB),

• Output Feedback (OFB),
• Counter (CTR), and
• Galois Counter Mode (GCM)

4. Consider the following S-box of DES. Write down the output of the two inputs ‘20’ and ‘9’
and justify your answer. 2

Solution 0.4. • The binary representation of (20)10 = (010100)2 . To write down the S-
box(20), 00 indicates the row number and 1010 indicates the column number. So, we
have S-box(20) = 3

2
 • In the similar manner, we have (9)10 = (001001)2 . So, 01 gives us row number and 0100
gives the column position. Thus, we have S-box(9) = 4

5. Prove that DES decryption can be done by applying the DES encryption algorithm with the
key schedule reversed. 4

Solution 0.5. Since Li = Ri−1 and Ri = Li−1 ⊕f (ki , Ri−1 ) for 1 ≤ i ≤ 16, and for decryption
we know Li , Ri , and ki , we can compute

Ri−1 = Li

Li−1 = Ri ⊕ f (ki , Ri−1 ) = Ri ⊕ f (ki , Li ).

In order for this to work the DES encryption at each stage must be applied with the left and
right halves reversed – this is the case since the output ciphertext is given by IP −1 (R16 ||L16 ).
Since the ith values are used to compute the (i − 1)st values, ki must be used in reversing the
key schedule.

Let DES(k, m) represent the encryption of plaintext m with key k using the DES
cryptosystem. Suppose c = DES(k, m) and c0 = DES(k̄, m̄). Prove that c0 = c̄ (i.e., if
we complement the plaintext and the key, then the ciphertext is also complemented). Note
that this can be proved using only the “high-level” description of DES – the actual structure
of S-boxes and other system components are irrelevant. 4

Solution 0.6. The permutations, expansion permutation (EP), selection permutation or

permuted choice (PC), key rotations and key selection permutation all behave the same
regardless of their input, since DES is closed under complement. Thus, a bit complemented
in the input will be complemented in the output, at the position assigned to that bit. This is
not true of the S-box computation.
Letting m ∈ {0, 1}X and denoting the unitary vector on X as 1 = (1, 1, . . . , 1), note that the
complement of m is given by m̄ = 1 ⊕ m. Letting n ∈ {0, 1}X , we have

m̄ ⊕ n̄ = 1 ⊕ m ⊕ 1 ⊕ n = m ⊕ n,

and

m̄ ⊕ n = 1 ⊕ m ⊕ n = (m ⊕ n).

3
 After the initial permutation, we have L0 and R0 . Since Li = Ri−1 , we will obtain Li after
each stage with Ri−1 as input. If we let A = Ri , B = EP (A), C = B ⊕ ki , D = S(C) where
S denotes an S-box, and E = P C(D), then if A0 = Ā and B 0 = B̄ (i.e., the EP or expansion
permutation preserves complement), then

C 0 = B̄ ⊕ ki = B ⊕ ki = C.

Since C 0 = C, the output of the S-boxes and permuted choices will be of similar form (i.e.,
D0 = D̄ and E 0 = Ē). Due to the fact that, after the ith stage, the output’s right partition

Ri = E 0 ⊕ Li−1 = Ē ⊕ Li−1 = R̄i ,

the inverse input permutation IP −1 applied to (L16 , R16 ) will result in the DES output being
the complement of the ciphertext.

6. Consider 0x16 as an element of GF (28 ) = GF (2)[x]/hx8 + x4 + x3 + x + 1i. Compute the value

S(0x16), where the function S is defined as: S(x) = f3 (f2 (f1 (x))), where all fi s are functions
fi : GF (28 ) → GF (28 ) for i = 1, 2, 3

f1 (x) ≡ x−1 mod (x8 + x4 + x3 + x + 1) if x 6= 0

= 0 if x = 0,

f2 (y) ≡ (x4 + x3 + x2 + x + 1).y mod (x8 + 1), and f3 (z) = (x6 + x5 + x + 1) + z. 5+2+1

Solution 0.7. If we consider 0x16 as an element of GF (28 ) = GF (2)[x]/hx8 +x4 +x3 +x+1i,
so 0x16 can be represented as

x4 + x2 + x.

To compute f1 (x4 + x2 + x), we have to find the (x4 + x2 + x)−1 mod (x8 + x4 + x3 + x + 1).
We will apply extended Euclidean algorithm for that.

4
 x8 + x4 + x3 + x + 1 = (x4 + x2 + x)(x4 + x2 + x) + (x3 + x2 + x + 1)
x4 + x2 + x = (x + 1)(x3 + x2 + x + 1) + (x2 + x + 1)
x3 + x2 + x + 1 = x(x2 + x + 1) + 1

⇒1 = (x3 + x2 + x + 1) + x(x2 + x + 1)
= (x3 + x2 + x + 1) + x{(x4 + x2 + x) + (x + 1)(x3 + x2 + x + 1)}
= (x2 + x + 1)(x3 + x2 + x + 1) + x(x4 + x2 + x)
= (x2 + x + 1){(x8 + x4 + x3 + x + 1) + (x4 + x2 + x)(x4 + x2 + x)}
+x(x4 + x2 + x)
= (x2 + x + 1)(x8 + x4 + x3 + x + 1)
+{(x2 + x + 1)(x4 + x2 + x) + x}(x4 + x2 + x)
= (x2 + x + 1)(x8 + x4 + x3 + x + 1) + {(x6 + x5 + x) + x}(x4 + x2 + x)
⇒1 = (x2 + x + 1)(x8 + x4 + x3 + x + 1) + (x6 + x5 )(x4 + x2 + x)
⇒1 ≡ (x6 + x5 )(x4 + x2 + x) mod (x8 + x4 + x3 + x + 1)

Thus, we have

f1 (x4 + x2 + x) ≡ (x6 + x5 ) mod (x8 + x4 + x3 + x + 1)

Now, f2 (x6 + x5 ) ≡ (x4 + x3 + x2 + x + 1)(x6 + x5 ) mod (x8 + 1) ≡ (x5 + x2 ) mod (x8 + 1)

So, we have f3 (x5 + x2 ) = (x6 + x5 + x + 1) + x5 + x2 = x6 + x2 + x + 1 = (01000111)2 = (47)16

Thus,

S(0x16) = 0x47.

7. Write down the basic unit of implementation of the following:

DES cipher, AES cipher, LFSR, RC4 cipher, Trivium cipher, and ChaCha20 cipher 3

Solution 0.8. •
• DES cipher – bit
• AES cipher – byte
• LFSR – bit
• RC4 cipher – byte
• Trivium cipher – bit

5
 • ChaCha20 cipher – 32-bit word

8. Write down a particular value of α and β for which we will get the maximum period of the
sequence xn ≡ (α · xn−1 + β) mod 3124, where n ≥ 1. Justify your choices for α and β 4

Solution 0.9. If β 6= 0, LCG generates a sequence of length 3124 = 22 × 11 × 71 iff

(i) gcd(β, 3124) = 1,

(ii) since 2 | 3124, 11 | 3124, 71 | 3124, therefore 2 | (α −1), 11 | (α −1), 71 | (α −1),
(iii) since 4 | 3124, therefore 4 | (α − 1).

Thus, the only choice for α = 1 and β can take any value 3 gcd(β, 3124) = 1.

First write down your registration number of the form lcs2020abc/lit2020abc. Take the decimal
value of ‘abc’ and add 40 with it. Covert the result in binary format of length seven. Prepend
this 7-bit to the following sequence 001011111001001011001010100000011101100001110101
and write down the number of runs having different lengths. 4

9. Consider x6 + x5 + 1 as your connection polynomial for the LFSR and take the decimal value
‘20’ as your initial register. Draw the diagram for the LFSR and then generate the next 10
consecutive resisters along with the output sequence. 2+5

Solution 0.10.

0 1 0 1 0 0

010100 → 0

001010 → 0
100101 → 1
110010 → 0
111001 → 1
111100 → 0
011110 → 0
101111 → 1
010111 → 1
001011 → 1
000101 → 1