Cryptography Midterm Exam 2013/04/16

Part I (3 points each)

1. Which quotient ring is NOT isomorphic to GF 32?

A. GF 2 [ x] / < x5 + x4 + x3 + x +1 > B. GF 2 [ x] / < x5 + x3 +1 >
C. GF 2 [ x] / < x5 + x4 + x3 + x2 +1 > D. GF 2 [ x] / < x5 + x4 +1 > E. None of the above

2. Which irreducible polynomial over GF 3 is primitive?

A. x3 + 2x +1 B. x3 + 2x +2 C. x3 + x2 +2 D. x3 + x2 + x +2 E. None of the above

3. Which is the effective key length of three-key triple DES?

A. 84 B. 112 C. 128 D. 168 E. None of the above

4. Assume a company with 200 employees. A new security policy demands encrypted
message exchange with a symmetric cipher. How many keys are required, if a secret
communication is ensured for every possible pair of communicating parties?
A. 199 B. 200 C. 1990 D. 2000 E. None of the above

5. In a Feistel cipher, every encryption round consists of Li = Ri 1 and

A. Ri = Li 1  f (Li 1, ki ) B. Ri = Li 1  f (Ri 1, ki )
C. Ri = Ri 1  f (Ri 1, ki ) D. Ri = Ri 1  f (Li 1, ki ) E. None of the above

6. The encryption of the block cipher IDEA mixes operations from three different
algebraic groups. Which is NOT one of the groups?
A. ({0, 1}16,  (XOR)) B. (Z65536, + mod 65536)
C. (S16, ◦ (composition)) D. (Z65537*,  mod 65537) E. None of the above

7. Let mi’s and ci’s be plaintext and ciphertext blocks respectively. With a decryption
algorithm d and a key k, which is the decryption operation of CBC mode for i > 1?
A. mi = dk (ci)  mi1 B. mi = dk (ci  mi1)
C. mi = dk (ci)  ci1 D. mi = dk (ci  ci1) E. None of the above

8. The block cipher SAFER (Secure And Fast Encryption Routine) has the 8-bit S-box
constructed by S(x) = 45x mod 257, where 256 is represented by 0. Apparently,
(Z257*, ) = <45>, i.e., 45 is a generator (primitive root) of the cyclic group Z257*.
Which of the following mappings is NOT a bijective 8-bit S-box?
A. S(x) = 455x mod 257 B. S(x) = 456x mod 257
C. S(x) = 459x mod 257 D. S(x) = 4515x mod 257 E. None of the above
9. Which stream cipher has the keystream
generation shown by the figure, where
one byte K is generated in each iteration?
A. RC4 B. SEAL C. Crypto1
D. A5/1 E. None of the above

10. Which statement is FALSE?

A. The key length of 128 bits is sufficient for long term (several decades) security
even if practical quantum computers are present
B. Obtaining a secret key by measuring the electrical power consumption of a
processor which operates on the secret key is an example of side-channel analysis
C. Kerckhoff’s Principle means that a cryptosystem should be secure even if an
attacker knows all details about the system, with the exception of the secret key
D. All encryption schemes from ancient times until 1976 were symmetric ones
E. None of the above

Part II (3 points each)

 Euler’s Theorem and Fermat Little Theorem

 22013 34 516 mod 13 = 11 (between 0 and 12)
 32013 54 916 mod 14 = 12 (between 0 and 13)
[If you saw the home page of Google yesterday, then you learned that yesterday
(2013.4.15) was the 306th birthday of Leonhard Euler]

 Consider the multiplicative group G = Z31*.

 The order of 27 in G is 13 . [Note 27  4 (mod 31)]
 The solution to the discrete logarithm 3x  22 (mod 31) is x = 14 .

 The sequence 0, 1, 1, 0, 1, 0, 1, 1, 1, 1, … is generated by an LFSR of degree 4.

 The period of the sequence is 15 .
 The next three bits (11th ~ 13th bit) of the sequence are 16 .

 A. ECB B. CBC C. OFB D. CFB E. CTR F. GCM

From the above list of modes of operations, select appropriate ones satisfying the
following specified property respectively.
 Both the encryption and decryption functions of a block cipher are used: 17
 Decryption can be parallelized while encryption can NOT be parallelized: 18
 A one-bit transmission error of ciphertext affects only one bit of the decrypted
plaintext: 19
 a = 20 and b = 21 is the pair of integers satisfying 37 a + 256 b = 1,
where a is the least positive one. If an affine cipher has the encryption formula
y = 37 x + 91 mod 256, where x, y  Z256 are plaintext and ciphertext respectively,
then the decryption formula is x = 22 mod 256.

 Complete the table for DES and AES:

DES AES
Key Length (bits) 56 128 192 256
Block Length (bits) 64 23
Number of Rounds 24 10 12 25
Number of Different S-box(s) 26 1

 Complete the table of key lengths of algorithms for different security levels:
Algorithm Family Cryptosystems Security Level (bit)
80 128 192 256
Symmetric-key PRESENT, AES 80 128 192 256
Elliptic Curves ECDH, ECDSA 160 256 27 512
Integer Factorization, RSA, DSA, ElGamal, 1024 28 7680 15360
Discrete Logarithm DH (Diffie-Hellman)

 Consider a simple brute force attack on DES which runs on COPACOBANA.

Assume the implementation details as below.
 COPACOBANA platform with 20 FPGA modules
 6 FPGAs per FPGA module
 4 DES engines per FPGA
 Each DES engine is fully pipelined and is capable of performing one
encryption per clock cycle
 100 MHz clock frequency
 The average runtime of an exhaustive key-search on DES is 29 days
(rounded to the closest integer).
 To achieve the average search time of one hour, 30 COPACOBANA
machines are required.
Part III (Write down all details of your work)

31 (3 points) The internal structure of the stream cipher Trivium is shown as the
following diagram on the textbook. Unfortunately, this diagram is wrong.

The specification of the key stream generation of Trivium is as below.

Draw the correct diagram on the answer sheet.

32 (7 points)
(i) Besides P(x) = x4 + x + 1, list all irreducible polynomials of degree 4 over GF(2).
(ii) Factor x16  x over GF(2).
(iii) Compute (x3 + x + 1) / (x2 + x) in GF(24) which is represented by P(x).
Cryptography Midterm Exam 2013/04/16
Name: ____________ Student ID number: ____________

1 2 3 4 5 6 7 8 9 10

11 12 13 14 15

16 17 18 19 20

21 22 23 24 25

26 27 28 29 30

31

32
Cryptography Midterm Exam 2013/04/16

Solution
1 2 3 4 5 6 7 8 9 10

D A B E B C C B A A
11 12 13 14 15

2 3 10 17 15
16 17 18 19 20

0, 0, 0 AB BD CEF 173
21 22 23 24 25

25 173 ( y  91) 128 16 14

26 27 28 29 30

8 384 3072 9 (8.696) 209 (208.7)

31

32

(i) x4 + x3 + 1, x4 + x3 + x2 + x + 1
(ii) x (x + 1) (x2 + x + 1) (x4 + x + 1) (x4 + x3 + 1) (x4 + x3 + x2 + x + 1)
(iii) x2 [(x2 + x)1 = x2 + x + 1]