Republic of the Philippines

UNIVERSITY OF NORTHERN PHILIPPINES

Tamag, Vigan City
2700 Ilocos Sur

COLLEGE OF COMMUNICATION AND INFORMATION TECHNOLOGY

CSP 113 Information Assurance and Security

Activity # 1
First Term | SY 2024-2025

Name: Ivan Dominic Hernando Score:

Course|Year|Section: BSCS 4B Date:

Chapter 4 Block Ciphers and the Data Encryption Standard

Problems
1. A
a. In Section 4.1, under the subsection on the motivation for the Feistel cipher structure it was
stated that, for a block of n bits, the number of different reversible mappings for the ideal
block cipher is 2^n!. Justify.
 For an n-bit block cipher, there are 2^n possible inputs and outputs. Since a block
cipher is a bijection, each n-bit input has a unique corresponding n-bit output.
The total number of possible reversible mappings (bijections) for such a cipher is
(2^n)!, meaning there are 2^n! possible reversible mappings in an ideal block
cipher.
b. In that same discussion, it was stated that for the ideal block cipher, which allows all
possible reversible mappings, the size of the key is n * 2^n bits. But, if there are 2^n!
possible mappings, it should take log2 2^n! bits to discriminate among the different
mappings, and so the key length should be log2 2n!. However, log2 2^n! < n < 2n. Explain
the discrepancy
 An ideal block cipher should have a key length of n×2^n bits, enabling a total of
2(n×2^n) possible keys. In contrast, the number of reversible mappings is 2^n! which
requires n! bits to differentiate. Although n! increases rapidly, the n×2n key space
remains sufficiently large to ensure security, providing more potential keys than
what is needed to encompass the mappings. This relationship, expressed as n!
<n<2n, illustrates that the key length can maintain practical security without
necessitating a direct correlation with the number of unique reversible mappings.
2. Consider a Feistel cipher composed of sixteen rounds with a block length of 128 bits and a key
length of 128 bits. Suppose that, for a given k, the key scheduling algorithm determines values for
the first eight round keys, k1, k2, ... k8, and then sets
k9 = k8, k10 = k7, k11 = k6, ..., k16 = k1

ISO 9001:2015
Quirino Blvd., Brgy. Tamag, Vigan City, 2700 Ilocos Sur REGISTERED
Certificate. No.
Website: www.unp.edu.ph SCP000580Q
Email: [email protected] Telephone #(077)674-1347
 Republic of the Philippines
UNIVERSITY OF NORTHERN PHILIPPINES
Tamag, Vigan City
2700 Ilocos Sur

Suppose you have a ciphertext c. Explain how, with access to an encryption oracle,
you can decrypt c and determine m using just a single oracle query. This shows that such a
cipher is vulnerable to a chosen plaintext attack. (An encryption oracle can be thought of as
a device that, when given a plaintext, returns the corresponding ciphertext. The internal
details of the device are not known to you and you cannot break open the device. You can
only gain information from the oracle by making queries to it and observing its responses.)
By utilizing this single query, you can successfully expose the plaintext \( mmm \)
by taking advantage of the Feistel cipher's processing and mirroring of the round keys. This
chosen plaintext attack demonstrates the vulnerability of the Feistel cipher to such tactics,
as its symmetric structure permits the decryption of the ciphertext without requiring
knowledge of the key or the need for further queries.

3. Let pi be a permutation of the integers 0, 1, 2, c, (2n - 1), such that p(m) gives the permuted value
of m, 0 … m 6 2n. Put another way, pi maps the set of n-bit integers into itself and no two integers
map into the same integer. DES is such a permutation for 64-bit integers. We say that pi has a fixed
point at m if pi(m) = m. That is, if pi is an encryption mapping, then a fixed point corresponds to a
message that encrypts to itself. We are interested in the number of fixed points in a randomly
chosen permutation pi. Show the somewhat unexpected result that the number of fixed points for
pi is 1 on an average, and this number is independent of the size of the permutation.
E[X]=1
This outcome is somewhat surprising, as it indicates that regardless of the size of \( n \)
(that is, no matter how many integers are included in the permutation), the average
number of fixed points remains constant at 1. This independence from the size of the
permutation arises from the uniform distribution of the permutation mappings.
4. Consider a block encryption algorithm that encrypts blocks of length n, and let N = 2n. Say we have
t plaintext–ciphertext pairs Pi, Ci = E(K, Pi), where we assume that the key K selects one of the N!
possible mappings. Imagine that we wish to find K by exhaustive search. We could generate key K′
and test whether Ci = E(K′, Pi) for 1 … i … t. If K ′ encrypts each Pi to its proper Ci, then we have
evidence that K = K′. However, it may be the case that the mappings E(K, # ) and E(K ′, # ) exactly
agree on the t plaintext–cipher text pairs Pi, Ci and agree on no other pairs.
a. What is the probability that E(K, # ) and E(K′, # ) are in fact distinct mappings?
1
P=1−
( N −t ) !
b. What is the probability that E(K, # ) and E(K′, # ) agree on another t′ plaintext– ciphertext
pairs where 0 … t′ … N - t?

ISO 9001:2015
Quirino Blvd., Brgy. Tamag, Vigan City, 2700 Ilocos Sur REGISTERED
Certificate. No.
Website: www.unp.edu.ph SCP000580Q
Email: [email protected] Telephone #(077)674-1347
 Republic of the Philippines
UNIVERSITY OF NORTHERN PHILIPPINES
Tamag, Vigan City
2700 Ilocos Sur

P=
( t )
N −t
'

( N−t ) !

5. For any block cipher, the fact that it is a nonlinear function is crucial to its security. To see this,
suppose that we have a linear block cipher EL that encrypts 256-bit blocks of plaintext into 256-bit
blocks of ciphertext. Let EL(k, m) denote the encryption of a 256-bit message m under a key k (the

EL(k, [m1⊕ m2]) = EL(k, m1) ⊕ EL(k, m2) for all 128@bit patterns m1, m2. EL(k, [m1⊕ m2]) = EL(k, m1)
actual bit length of k is irrelevant). Thus

⊕ EL(k, m2) for all 128@bit patterns m1, m2.

Describe how, with 256 chosen ciphertexts, an adversary can decrypt any ciphertext
without knowledge of the secret key k. (A “chosen ciphertext” means that an adversary
has the ability to choose a ciphertext and then obtain its decryption. Here, you
have 256 plaintext/ciphertext pairs to work with and you have the ability to choose
the value of the ciphertexts.)

Through this method, the adversary can leverage the linearity of the block cipher to decrypt any
ciphertext using just 256 chosen ciphertexts. The linearity allows the adversary to manipulate and
combine plaintexts and ciphertexts, ultimately revealing the original messages without needing the
secret key. This vulnerability highlights the importance of nonlinearity in modern block ciphers,
where such attacks would not be feasible.

6. Suppose the DES F function mapped every 32-bit input R, regardless of the value of the input K, to;
a. 32-bit string of zero
b. R
Then
1) What function would DES then compute?
If the F function maps every 32-bit input to zero, DES computes a swap of the
input halves. If it maps every input to itself, DES computes a more complex
interleaving based on the original input.
2) What would the decryption look like?
Decryption is straightforward for the first case (simply reversing the halves), while
the second case requires systematically reversing the XOR operations based on
their sequential transformations.

(A⊕ B) ⊕ C = A⊕ (B ⊕ C)
Hint: Use the following properties of the XOR operation:

(A⊕ A) = 0
(A⊕ 0 ) = A
A⊕ 1 = bitwise complement of A
where
A,B,C are n-bit strings of bits
0 is an n-bit string of zeros

ISO 9001:2015
Quirino Blvd., Brgy. Tamag, Vigan City, 2700 Ilocos Sur REGISTERED
Certificate. No.
Website: www.unp.edu.ph SCP000580Q
Email: [email protected] Telephone #(077)674-1347
 Republic of the Philippines
UNIVERSITY OF NORTHERN PHILIPPINES
Tamag, Vigan City
2700 Ilocos Sur

1 is an n-bit string of one

7. Show that DES decryption is, in fact, the inverse of DES encryption
Demonstrating that each operation of encryption has a corresponding inverse operation in
decryption (including the reversal of key order and the permutation steps), we can conclude that
DES decryption is indeed the inverse of DES encryption. Therefore, applying DES encryption
followed by DES decryption (or vice versa) retrieves the original data: D(K,E(K,P))=P

8. The 32-bit swap after the sixteenth iteration of the DES algorithm is needed to make the encryption
process invertible by simply running the ciphertext back through the algorithm with the key order
reversed. This was demonstrated in the preceding problem. However, it still may not be entirely
clear why the 32-bit swap is needed. To demonstrate why, solve the following exercises. First, some
notation:
A||B = the concatenation of the bit strings A and B
Ti(R||L) = the transformation defined by the ith iteration of the encryption
algorithm for 1 <= I <= 16
TDi(R||L) = the transformation defined by the ith iteration of the decryption
algorithm for 1 <= I <= 16
T17(R||L) = L||R, where this transformation occurs after the sixteenth iteration
of the encryption algorithm
a. Show that the composition TD1(IP(IP-1(T17(T16(L15 ‘R15))))) is equivalent to the
transformation that interchanges the 32-bit halves, L15 and R15. That is, show that
TD1(IP(IP-1(T17(T16(L15 ||R15))))) = R15 ||L15

T16(L15∣∣R15)=L15∣∣(L15⊕F(R15,K16))
T17(L16∣∣R16)=R16∣∣L16=(L15⊕F(R15,K16))∣∣R15
IP−1(R16∣∣L16)
TD1(IP−1(R16∣∣L16))=R15∣∣L15
TD1(IP(IP−1(T17(T16(L15∣∣R15))))=R15∣∣L15

b. Now suppose that we did away with the final 32-bit swap in the encryption algorithm. Then
we would want the following equality to hold:
TD1(IP(IP-1(T16(L15 ||R15)))) = L15 ||R15
Does it?

T16(L15∣∣R15)=R15∣∣(L15⊕F(R15,K16))
IP−1(R16∣∣L16)
TD1(IP−1(R16∣∣L16))
TD1(IP(IP−1(T16(L15∣∣R15)))) /=L15∣∣R15

ISO 9001:2015
Quirino Blvd., Brgy. Tamag, Vigan City, 2700 Ilocos Sur REGISTERED
Certificate. No.
Website: www.unp.edu.ph SCP000580Q
Email: [email protected] Telephone #(077)674-1347
 Republic of the Philippines
UNIVERSITY OF NORTHERN PHILIPPINES
Tamag, Vigan City
2700 Ilocos Sur

Note: The following problems refer to details of DES that are described in Appendix S.

9. Consider the substitution defined by row 1 of S-box S1 in Table S.2. Show a block diagram similar to
Figure 4.2 that corresponds to this substitution.

10. Compute the bits number 4, 17, 41, and 45 at the output of the first round of the DES decryption,
assuming that the ciphertext block is composed of all ones and the external key is composed of all
ones.
Bit 4: 1
Bit 17: 1
Bit 41: 1
Bit 45: 1

11. This problem provides a numerical example of encryption using a one-round version of DES. We
start with the same bit pattern for the key K and the plaintext, namely:
Hexadecimal notation: 0 1 2 3 4 5 6 7 8 9 A B C D E F
Binary notation: 0000 0001 0010 0011 0100 0101 0110 0111
1000 1001 1010 1011 1100 1101 1110 1111
a. Derive K1, the first-round subkey.
K1 = 10101100111000101010001111000000 (48 bits)

ISO 9001:2015
Quirino Blvd., Brgy. Tamag, Vigan City, 2700 Ilocos Sur REGISTERED
Certificate. No.
Website: www.unp.edu.ph SCP000580Q
Email: [email protected] Telephone #(077)674-1347
 Republic of the Philippines
UNIVERSITY OF NORTHERN PHILIPPINES
Tamag, Vigan City
2700 Ilocos Sur

b. Derive L0, R0.

L0 = 0000000000000000 (Left 32 bits)
R0 = 0000000000000001 (Right 32 bits)
c. Expand R0 to get E[R0], where E[ . ] is the expansion function of Table S.1.

d. Calculate A = E[R0] ⊕ K1
E[R0] = 000000000000000000000000000000000000000000000001 (48 bits)

A = 10101100111000101010001111000001 (48 bits)

e. Group the 48-bit result of (d) into sets of 6 bits and evaluate the corresponding S-box
substitutions.
After substituting each group with S-box results, concatenate to form a 32-bit output B.
f. Concatenate the results of (e) to get a 32-bit result, B.
B = 110010110001111100100110 (32 bits)
g. Apply the permutation to get P(B).

h. Calculate R1 = P(B) ⊕ L0.

P(B) = 100100011110111100101100 (32 bits)

R_1 = 100100011110111100101100 (32 bits)

i. Write down the ciphertext.
C = 0000000000000001100100011110111100101100 (64 bits)

12. Analyze the amount of left shifts in the DES key schedule by studying Table S.3 (d). Is there a
pattern? What could be the reason for the choice of these constants?
The left shift pattern in the DES key schedule showcases a deliberate design choice aimed
at enhancing the algorithm's security while maintaining efficiency. The combination of 1
and 2 shifts creates a robust mechanism for key mixing, ultimately contributing to the
cryptographic strength of the DES algorithm against various types of attacks.

13. When using the DES algorithm for decryption, the 16 keys (K1, K2, c, K16) are used in reverse order.
Therefore, the right-hand side of Figure S.1 is not valid for decryption. Design a key-generation
scheme with the appropriate shift schedule (analogous to Table S.3d) for the decryption process.

Round Left Shifts Subkey K

for C and D Generated
1 1 K1
2 1 K2
3 2 K3
4 2 K4
5 1 K5
6 1 K6
7 2 K7
8 2 K8
9 1 K9
10 1 K10
11 2 K11
12 2 K12

ISO 9001:2015
Quirino Blvd., Brgy. Tamag, Vigan City, 2700 Ilocos Sur REGISTERED
Certificate. No.
Website: www.unp.edu.ph SCP000580Q
Email: [email protected] Telephone #(077)674-1347
 Republic of the Philippines
UNIVERSITY OF NORTHERN PHILIPPINES
Tamag, Vigan City
2700 Ilocos Sur

13 1 K13
14 1 K14
15 2 K15
16 2 K16

14.
a. Let X′ be the bitwise complement of X. Prove that if the complement of the plaintext block
is taken and the complement of an encryption key is taken, then the result of DES
encryption with these values is the complement of the original ciphertext. That is,
If Y = E(K, X)
Then Y′ = E(K′, X′)

(A⊕ B)′ = A′ ⊕ B.
Hint: Begin by showing that for any two bit strings of equal length, A and B,

Y′=E(K,X)′=(E(K,X))′=E(K′,X′)
he proof shows that if you take the complement of the plaintext and the
complement of the key, the resulting ciphertext is the complement of the original
ciphertext.

b. It has been said that a brute-force attack on DES requires searching a key space of 256 keys.
Does the result of part (a) change that?
The result of part (a) does not change the key space size for brute-force attacks on
DES, which remains at 2^{56}. The existence of the complementary keys does not
provide an advantage in reducing the number of keys that must be searched in a
brute-force attack.

15.
a. We say that a DES key K is weak if DESK is an involution. Exhibit four weakkeys for DES.
K1: 0000000000000000
K2: FFFFFFFFFFFFFFFF
K3: 1111111111111111
K4: 2222222222222222
b. We say that a DES key K is semi-weak if it is not weak and if there exists a key K ′ such that
DESK - 1 = DESK′. Exhibit four semi-weak keys for DES.
K1: E0E0E0E0E0E0E0E0
K'1: 1F1F1F1F1F1F1F1F
K2: A0A0A0A0A0A0A0A0
K'2: 5F5F5F5F5F5F5F5F
K3: C0C0C0C0C0C0C0C0
K'3: 3F3F3F3F3F3F3F3F
K4: 7F7F7F7F7F7F7F7F

ISO 9001:2015
Quirino Blvd., Brgy. Tamag, Vigan City, 2700 Ilocos Sur REGISTERED
Certificate. No.
Website: www.unp.edu.ph SCP000580Q
Email: [email protected] Telephone #(077)674-1347
 Republic of the Philippines
UNIVERSITY OF NORTHERN PHILIPPINES
Tamag, Vigan City
2700 Ilocos Sur

K'4: 8080808080808080

Note: The following problems refer to simplified DES, described in Appendix G.

16. Refer to Figure G.3, which explains encryption function for S-DES.
a. How important is the initial permutation IP?
Diffusion: The IP spreads the influence of individual plaintext bits across multiple ciphertext
bits, obscuring patterns and enhancing security.
Foundation for Subsequent Rounds: It establishes the initial bit arrangement, affecting
how keys are derived and processed in later rounds.
Prevention of Linear Attacks: By altering bit positions, IP reduces the likelihood of attackers
using linear relationships to break the cipher.

b. How important is the SW function in the middle?

Increased Security: The SW function mixes the left and right halves of the data, making it
harder for attackers to reverse-engineer the key.
Diffusion: Swapping halves promotes further diffusion, as information from one half
influences the other in subsequent rounds.
Iterative Transformation: It ensures that the encryption process is repeated, enhancing the
strength of the encryption.
Reversibility for Decryption: The SW function is essential for allowing decryption to occur
symmetrically using the same key.

17. The equations for the variables q and r for S-DES are defined in the section on S-DES analysis.
Provide the equations for s and t.

s=L0⊕P(B)

t=R0⊕f(K1,L0)

18. Using S-DES, decrypt the string 01000110 using the key 1010000010 by hand. Show intermediate
results after each function (IP, FK, SW, FK, IP-1). Then decode the first 4 bits of the plaintext string
to a letter and the second 4 bits to another letter where we encode A through P in base 2 (i.e., A =
0000, B = 0001, c, P = 1111). Hint: As a midway check, after the xoring with K2, the string should be
11000001.

The decrypted string is 01100010, corresponding to letters G (for 0110) and C (for 0010).

ISO 9001:2015
Quirino Blvd., Brgy. Tamag, Vigan City, 2700 Ilocos Sur REGISTERED
Certificate. No.
Website: www.unp.edu.ph SCP000580Q
Email: [email protected] Telephone #(077)674-1347
 Republic of the Philippines
UNIVERSITY OF NORTHERN PHILIPPINES
Tamag, Vigan City
2700 Ilocos Sur

19. Create software that can encrypt and decrypt using a general substitution block cipher.

ISO 9001:2015
Quirino Blvd., Brgy. Tamag, Vigan City, 2700 Ilocos Sur REGISTERED
Certificate. No.
Website: www.unp.edu.ph SCP000580Q
Email: [email protected] Telephone #(077)674-1347
 Republic of the Philippines
UNIVERSITY OF NORTHERN PHILIPPINES
Tamag, Vigan City
2700 Ilocos Sur

20. Create software that can encrypt and decrypt using S-DES. Test data: use plaintext, ciphertext, and
key of Problem 4.18.

ISO 9001:2015
Quirino Blvd., Brgy. Tamag, Vigan City, 2700 Ilocos Sur REGISTERED
Certificate. No.
Website: www.unp.edu.ph SCP000580Q
Email: [email protected] Telephone #(077)674-1347