深入浅出密码学习题答案(2)

奇数题号答案

1.A(x) B(x)=(x2+1)(x3+x2+1)=x5+x4+x2+x3+x2+1

A(x) B(x)=x5+x4+x3+1

x+1

4543x+x+1x+x+x+152x+x+x

x4+x3+x2+x+1

x4+x+1

x3+x2

C=x3+x2≡A(x) B(x)modP(x).2.A(x) B(x)=(x2+1)(x+1)=x3+x+x2+1

C=x3+x2+x+1≡A(x) B(x)modP(x)

ThereductionpolynomialisusedtoreduceC(x)inordertoreducetheresulttoGF(24).Otherwise,a’simple’multiplicationwithoutreductionwouldyieldaresultofahigherdegree(e.g.,withx5)whichwouldnotbelongtoGF(24)anymore.

4.7

1.BytheExtendedEuclideanalgorithm:

x+x+1=[x3](x)+[x+1]t2(x)=t0 q1t1= q1= x3=x3

x=[1](x+1)+1t3(x)=t1 q2t2=1 1 x3=1 x3=x3+1

x+1=[x+1](1)+04

So,A 1=x3+1.

Check:x (x3+1)=x4+x≡(x+1)+xmodP(x)=1modP(x).

2.BytheExtendedEuclideanalgorithm:4x+x+1=[x2+x+1](x2+x)+[1]t2=t0 q1t1= q1=x2+x+1

x2+x=[x2+x]1+[0]

So,A 1=x2+x+1.

Check:(x2+x)(x2+x+1)=x4+2x3+2x2+x=x4+x≡(x+1)+xmodP(x)=1modP(x).

4.9

16161616 16161616 B=ByteSub(A)= 16161616 16161616

TheShiftRowsoperationdoesnotchangeanythingsinceallbytesofBequaleachother.TheMixComumnoperationisequalforeveryresultigbyteCiandisdescribedby

(01+01+02+03)hex·(16)hex.Wehavetoremind,thatallcalculationshavetobedoneinGF(28),sothat(01+01+02+03)hex=(01)hexandhence,allresultingbytesofCremain(16)hex 16161616 16161616 C=MixColumn(B)= 16161616 16161616

The rstroundkeyequalskey. So,theoutputof the rstis the unmodi edAES E9E9E9E9FFFFFFFF16161616 16161616 FFFFFFFF E9E9E9E9 C⊕K= 16161616 ⊕ FFFFFFFF = E9E9E9E9 E9E9E9E9FFFFFFFF16161616

4.11

奇数题号答案

1.d=01,b=1 (b7x7+...+b0)=b.

d0=b0,d1=b1,...,d7=b7.

2.d=02 b=x(b7x7+...+b0)=b7x8+b6x7+...+b0x

x8≡x4+x3+x+1modP(x).

d=b6x7+b5x6+b4x5+[b3+b7]x4+[b2+b7]x3+b1x2+[b0+b7]x+b7

d7=b6d6=b5

d5=b4d4=b3+b7

d3=b2+b7d2=b1

d1=b0+b7d0=b7

3.d=03 b=(x+1)b=xb+b

Usingsolutionsfroma)andb):

d=(b6+b7)x7+(b5+b6)x6+(b4+b5)x5+(b3+b4+b7)x4+(b2+b3+b7)x3+(b1+b2)x2+(b0+b1+b7)x+(b0+b7)

d7=b6+b7d6=b5+b6

d5=b4+b5d4=b3+b4+b7

d3=b2+b3+b7d2=b1+b2

d1=b0+b1+b7d0=b0+b7

4.13

1.A=01h,A(x)=1

A 1(x)=1=01h

A 1(x)isnowtheinputtotheaf netransformationofRijndaelasdescribedinSubsection4.2.1oftheRijndaelSpeci cations:

M·A 1+V

whereMandVarea xedmatrixandvector,respectively.

11110 0 1 1 1 0 0 0 1 0 1 0 0 1 0 1 1 M·A+V=M· 0 + 0 = 1 + 0 = 1 0 1 0 1 1 0 1 0 1 1 00000

ByteSub(01h)=7Ch

2.A=12h,A(x)=x4+x

ApplyextendedEuclideanalgorithm:A 1(x)=x7+x5+x3+x=AAh.

01011 1 1 1 1 0 0 0 0 0 0 1 0 1 0 1 1 M·A+V=M· 0 + 0 = 0 + 0 = 0 1 1 1 1 0 0 1 0 1 1 10101

Remark:Itis(big)coincidencethatM·A 1=A 1.Thisonlyholdsforthisspeci cvalueofA 1.ByteSub(12h)=C9h

4.15

1.RC[8]=x7=(10000000)2

2.RC[9]=x8=x4+x3+x+1=(00011011)2

3.RC[10]=x9=x8·x=x5+x4+x2+x=(00110110)2

奇数题号答案

ProblemsofChapter5

5.1

Sincetherecordsarenotrelated,wetypicallywanttoaccessonlyasinglerecordandnotitsadjacentones.TheuseofCBCmodeisthusnotwellsuited.ECBmostseemstobethebestchoice.

5.3

Thedecryptionofan”CBC-encrypted” leisde nedbyxi=dK(yi)⊕yi 1.SinceyouknowthekeyKandthepair(x0,y0)(fromthe rst le),theunknownIVcaneasilybeobtainedbyconvertingtheequation:

IV=y 1=dk(y0)⊕x0

Afterthat,thesecond(unidenti ed) lecaneasilybedecryptedbyusingthedecryptionequationmen-tionedabove(withy 1=IV).

5.5

IfthesameIVisusedfortheOFBencryption,thecon dentialitymaybecompromized.Ifaplaintextblockxjofsuchamessagemisknown,theoutputcanbecomputedeasilyfromtheciphertextblockyjofthemessagem.Thisinformationthenallowsthecomputationoftheplaintextblockx′jofanyothermessagem′thatisencryptedusingthesameIV.

5.7

1.

2.Theproblemwiththeschemeisthatthereareonly256differentinputsFBitotheAESalgorithm.Thatmeansthereareonly256differentoutputvectorsoflength128bitthatformthekeystream.Tomakethingsworse,thecipheroutputwillrunintoacyclequickly.Let’sdenotethesequenceoffeedbackbytesbyFB1,FB2,...AssoonasafeedbackbyteFBjisgeneratedthatisequaltoanearlieroneFBi,i.e.,i<j,thesequence

FBi,FBi+1,...,FBj=FBi,FBi+1,...,FBj=FBi,FBi+1,...

repeatsperiodically.Sincethereareonly256differentvaluesforFB,themaximumsequencelengthis256.Sinceeachvalueisassociatedwitha128(16byte)AESoutput,thekeystreamsequencesihasamaximumcyclelengthof:

128×16=2048byte=2kbyte.

Afterthis,thestreamcipheroutputmustrepeat(andoddsarethatthecyclelenghtismuchshorter).Thus,ifanattackerhastoknowatmost2kBofplaintextinordertorecovertheentirestreamcipheroutputwithwhichhecandecryptallotherciphertext.

3.No,westillonlygenerateamaximumof256keystreamwordsoflength16byte.

Remark:Inthechapteronhashfunctionswewilllearnaboutthebirthdayparadox.This√isapplicableheretooandtellsusthattheexpectedlengthofthesequenceisinfactapproximately

奇数题号答案

ForachievingthesameprobabilitywithAES-256,2127plaintextsandciphertextsarerequired(whichisveryveryunlikely)!

5.15y′=eK3(eK2(eK1(x′)))

1.Pre–computeeKi(x′)=zi;i=1,2,...,256andstoreallpairs(zi,Ki)

(2)1 1′56562.Decryptza,b=e Kb(eKa(y));a=1,2,...,2;b=1,2,...,2

Ifamatchisfound,ifthereisaza,b=zitestfurtherkeypairs(x′′,y′′),(x′′′,y′′′),...,withthethreekeysinvolvedinthematch:

Ifthethreekeysgenerateavalidencryptionforallpairs,thesearemostlikelythecorrectkeys.OtherwisecontinuewiththenextpairKa,Kb.

l=3;t=3pairs

23·56 3·64=2 3·8=2 24 t=3pairs(x,y)aresuf cient(2)(1)(1)(1)

ProblemsofChapter6

6.1Fromatheoreticalpointofview,publickeycryptographycanbeusedasareplacementforsymmet-riccryptography.However,inpracticalapplications,symmetriccipherstendtobeapproximate …… 此处隐藏：4870字，全部文档内容请下载后查看。喜欢就下载吧 ……