T-79.

5501 Cryptology
Homework 6
March 19, 2009

1. Let us consider the Boolean function t(x1 , x2 , x3 ) = x1 x2 ⊕ x2 x3 ⊕ x1 x3 .

(a) Compute the values of the difference distribution table ND (a0 , b0 ) of the
function t, for a0 = 010 and a0 = 111 and b0 ∈ {0, 1}.
(b) A linear structure of a Boolean function f of three variables is defined as
a vector w = (w1 , w2 , w3 ) 6= (0, 0, 0) such that f (x⊕w)⊕f (x) is constant.
Show that t has exactly one linear structure.
(c) Show that t preserves complementation, that is, if each input bit is com-
plemented then the output is complemented.

2. Let πS be an m-bit to n-bit S-box. Let us derive a mathematical expression

of NL (a, b) in the linear distribution table. Consider the sum

(−1)a·x⊕b·πS (x)
X

x∈{0,1}m

computed over integers. It is easy to see that

(−1)a·x⊕b·πS (x)
X

x∈{0,1}m

= #{x ∈ {0, 1}m | a · x ⊕ b · πS (x) = 0} − #{x ∈ {0, 1}m | a · x ⊕ b · πS (x) = 1}

= NL (a, b) − (2m − NL (a, b)) = 2NL (a, b) − 2m .

Actually, this is nothing else but the Walsh transform of the Boolean function
b · πS (x), see Lecture 6. It follows that

1 X
NL (a, b) = 2m−1 + (−1)a·x⊕b·πS (x) .
2 x∈{0,1}m

(a) Problem(Stinson): Let πS be an m-bit to n-bit S-box. Show that

m −1
2X
NL (a, b) = 22m−1 ± 2m−1 ,
a=0

for all n-bit mask values b, where the sum is taken over all m-bit mask
values a (enumerated from 0 to 2m − 1).
(b) Check the result in (a) for the linear approximation table in Fig. 3.2 of
the textbook.

3. Let FI be a finite field with q elements and β a primitive element in FI . Consider

the function f : ZZq−1 = {0, 1, . . . , q − 2} → FI ∗ , f (x) = β x .

(a) Show that f is a bijection.

 (b) For a0 ∈ ZZq−1 and b0 ∈ FI , let us denote

ND (a0 , b0 ) = #{x ∈ ZZq−1 |f ((x + a0 ) mod q − 1) − f (x) = b0 }.

Show that ND (a0 , b0 ) = 1, for all a0 6= 0 and b0 6= 0.

4. Bob is using the RSA cryptosystem and his modulus is n = pq = 67 · 41. Show
that if the plaintext is 2009 then the ciphertext is equal to 2009.

5. (Stinson 5.14) The aim is to prove that the RSA Cryptosystem is not secure
against a chosen ciphertext attack.

(a) First, show that the encryption operation is multiplicative, that is, eK (x1 x2 ) =
eK (x1 )eK (x2 ), for any two plaintexts x1 and x2 .
(b) Next, use the multiplicative property to construct an example about how
to decrypt a given ciphertext y by obtaining the decryption x̂ of a different
(but related) ciphertext ŷ.

6. (a) What are the quadratic residues modulo 5?

(b) What are the quadratic residues modulo 7?
(c) What are the quadratic residues modulo 35?

7. (a) Evaluate the Jacobi symbol

801
 
.
2005
You should not do any factoring other than dividing out powers of 2.
(b) Let n be a composite integer and a an integer such that 1 < a < n. Then
n is called Euler pseudoprime to the base a if
a
 
n−1
≡ a 2 (modn) .
n
Show that 2005 is an Euler pseudoprime to the base 801.