EXERCISE 5

MORE ABOUT BLOCK CIPHERS

1. Assume a toy block cipher e() for encryption of 5-bit blocks. The encryption function is a
bit permutation, which depends on the key. We assume that for a given key the encryption
(permutation) is as follows:

e(b1 b2 b3 b4 b5 ) = (b2 b5 b4 b1 b3 )

Encrypt the message x = 01101 11011 11010 00110 with the five different modes of
operation ECB, CBC, CFB, OFB, and CTR, and provide the corresponding ciphertext y. Use
IV = 11001 as the initialization vector.

2. We consider exhaustive key-search attacks on block ciphers where the key is k bits long.
The block length is n bits, with n being much larger than k.
(1) Exhaustive key searches typically require known plaintexts. How many plaintext-
ciphertext pairs are needed to successfully break the block cipher running in ECB
mode? How many steps are needed in the worst case?
(2) Assume that the initialization vector IV for running the block cipher in CBC mode
is known (which is in practice the case as the IV is transmitted unencrypted). How
many plaintext–ciphertext pairs are now needed to break the cipher by performing
an exhaustive key search? How many steps are needed maximally? Briefly describe
the attack.
(3) How many plaintext–ciphertext pairs are necessary if you do not know the IV?
(4) Is breaking a block cipher in CBC mode by means of an exhaustive key search con-
siderably more difficult than breaking an ECB-mode block cipher?

3. In a company, all files that are sent on the internal network are automatically encrypted
by using AES-128 in CBC mode. A fixed key is used, and the IV is changed once per day.
The network encryption is file-based, so that the IV is used at the beginning of every file.
Through hacking into the system, you manage to find the fixed AES-128 key but you do not
know the current IV. Today, you were able to eavesdrop and obtain two different files, one
with unknown content and one which is known to be an automatically generated temporary
file, which only contains the value 0x F F . Briefly describe how it is possible to obtain the
unknown initialization vector and how you are able to decrypt the unknown file.

4. Keeping the IV secret in OFB mode does not make an exhaustive key search more com-
plex. Describe how we can perform a brute-force attack with unknown IV. What are the
requirements regarding plaintext and ciphertext?

5. Describe how the OFB mode can be attacked if the IV is not different for each execution
of the encryption operation.
Date: October 23, 2024.
1
Introduction to Information Security Exercise 5
6. Propose a simple change to the OFB mode that encrypts one byte of plaintext at a time,
e.g., for encrypting keystrokes from a remote keyboard. The block cipher used is AES.
Perform one block cipher operation for every new plaintext byte. Draw a block diagram of
your scheme and pay particular attention to the bit lengths used in your diagram.

7. As is so often true in cryptography, it is easy to weaken a seemingly strong scheme by

small modifications. Assume a variant of the OFB mode by which we only feed back the 8
most significant bits of the cipher output. We use AES and fill the remaining 120 input bits
of the cipher with 0s.
(1) Why is this scheme weak if we encrypt moderately large blocks of plaintext, say
100 kBytes? What is the maximum number of known plaintexts an attacker needs
to completely break the scheme?
(2) Let the feedback byte be denoted by FB. Does the scheme become cryptographically
stronger if we feed back the 128-bit value FB, FB, . . . , FB to the input (i.e., we copy
the feedback byte 16 times and use it as AES input)?

8. In the text, a variant of the CFB mode is proposed that encrypts individual bytes. Draw
a block diagram for this mode when using AES as block cipher. Indicate the width (in bits)
of each line in your diagram.

9. We are using AES in counter mode to encrypt a hard disk with 1 TB of capacity. What is
the maximum length of the IV?

10. Sometimes error propagation is an issue when choosing a mode of operation in prac-
tice. In order to analyze the propagation of errors, let us assume a bit error (i.e., a substitu-
tion of a “0” bit by a “1” bit or vice versa) in a ciphertext block yi . Alice is sending messages
to Bob.
(1) Assume an error occurs during the transmission in one block of ciphertext, let’s say
yi . Which plaintext blocks are affected on Bob’s side when using the ECB mode?
(2) Again, assume block yi contains an error introduced during transmission. Which
plaintext blocks are affected on Bob’s side when using the CBC mode?
(3) Suppose there is an error in the plaintext x i on Alice’s side. Which plaintext blocks
are affected on Bob’s side when using the CBC mode?
(4) Assume a single-bit error occurs in the transmission of a ciphertext character in 8-
bit CFB mode. How far does the error propagate? Describe exactly how each block
is affected.
(5) Give an overview of the effect of bit errors in a ciphertext block for the modes ECB,
CBC, CFB, OFB, and CTR. Differentiate between random bit errors and specific bit
errors when decrypting yi . Specific bit errors means errors at the same position(s)
as the original bit error(s).

11. Besides simple bit errors, the deletion or insertion of a bit during transmission can yield
even more severe effects for many modes of operation since the synchronization of blocks
is disrupted. In most cases, the decryption of subsequent blocks will be incorrect. A special
case is the CFB mode with a feedback width of 1 bit. Show that the synchronization is
automatically restored after κ + 1 steps, where κ is the block size of the block cipher.
2
Introduction to Information Security Exercise 5
12. We now analyze the security of DES with double encryption (2DES) by doing a cost
estimate. The encryption is described by the following expression:
First, let us assume a key search without building lookup tables. For this purpose, the whole
key space spanned by K1 and K2 has to be searched. How much does a key-search machine
for breaking 2DES (worst case) in 1 week cost?
We assume we have ASICs that can test 107 keys per second at a cost of $5 per IC. Further-
more, assume an overhead of 50% for building the key-search machine.
(1) Let us now consider the meet-in-the-middle (or time-memory tradeoff) attack that
was introduced in this chapter, in which we can use lookup tables. Answer the
following questions:
(a) How many entries have to be stored?
(b) How many bytes (not bits!) have to be stored for each entry?
(c) How costly is a key search in one week? Please note that the key space has to
be searched before filling up the memory completely. Then we can begin to
search the key space of the second key. Assume the same hardware for both
key spaces.
(d) For a rough cost estimate, assume the following costs for hard disk space: $5/1
TByte, where 1 TByte = 1012 Bytes.
(2) Assuming that both processing costs and the price for storage decrease according
to Moore’s law, i.e., they decrease by 50% every 18 months, when do the total costs
move below $1 million?
17. This is your chance to break a cryptosystem. As we know by now, cryptography is a
tricky business. The following problem illustrates how easy it is to turn a strong scheme
into a weak one with minor modifications.
We saw in this chapter that key whitening is a good technique for strengthening block
ciphers against brute-force attacks. We now look at the following variant of key whitening
against DES, which we’ll call DESA:

DESAk,k1 (x) = DESk (x) ⊕ k1

Even though the method looks similar to key whitening, it hardly adds to the security. Your
task is to show that breaking the scheme is roughly as difficult as a brute-force attack against
single DES. Assume you have a few plaintext–ciphertext pairs.
18. Let us now consider a brute-force attack on a block cipher with key length k. The block
cipher is used in OFB mode. The initialization vector is not known. Describe how many (i)
plaintexts and (ii) ciphertexts are required to break the cipher with a brute-force attack. In
the worst case, how many steps are necessary?