密碼編碼學(xué)與網(wǎng)絡(luò)安全答案優(yōu)質(zhì)資料

密碼編碼學(xué)與網(wǎng)絡(luò)安全答案優(yōu)質(zhì)資料(可以直接使用，可編輯優(yōu)質(zhì)資料，歡迎下載）

Chapter1: Introduction 5密碼編碼學(xué)與網(wǎng)絡(luò)安全答案優(yōu)質(zhì)資料(可以直接使用，可編輯優(yōu)質(zhì)資料，歡迎下載）Chapter2: ClassicalEncryptionTechniques 7Chapter3: BlockCiphersandtheDateEncryptionStandard 13Chapter4: FiniteFields 21Chapter5: AdvancedEncryptionStandard 28Chapter6: MoreonSymmetricCiphers 33Chapter7: ConfidentialityUsingSymmetricEncryption 38Chapter8: IntroductiontoNumberTheory 42Chapter9: Public-KeyCryptographyandRSA 46Chapter10: KeyManagement;OtherPublic-KeyCryptosystems 55Chapter11: MessageAuthenticationandHashFunctions 59Chapter12: HashandMACAlgorithms 62Chapter13: DigitalSignaturesandAuthenticationProtocols 66Chapter14: AuthenticationApplications 71Chapter15: ElectronicMailSecurity 73Chapter16: IPSecurity 76Chapter17: WebSecurity 80Chapter18: Intruders 83Chapter19: MaliciousSoftware 87Chapter20: Firewalls 89AnswerstoQuestions1.1 TheOSISecurityArchitectureisaframeworkthatprovidesasystematicwayofdefiningtherequirementsforsecurityandcharacterizingtheapproachestosatisfyingthoserequirements.Thedocumentdefinessecurityattacks,mechanisms,andservices,andtherelationshipsamongthesecategories.1.2 Passiveattackshavetodowitheavesdroppingon,ormonitoring,transmissions.Electronicmail,filetransfers,andclient/serverexchangesareexamplesoftransmissionsthatcanbemonitored.Activeattacksincludethemodificationoftransmitteddataandattemptstogainunauthorizedaccesstocomputersystems.1.3 Passiveattacks:releaseofmessagecontentsandtrafficanalysis.Activeattacks:masquerade,replay,modificationofmessages,anddenialofservice.1.4 Authentication:Theassurancethatthecommunicatingentityistheonethatitclaimstobe. Accesscontrol:Thepreventionofunauthorizeduseofaresource(i.e.,thisservicecontrolswhocanhaveaccesstoaresource,underwhatconditionsaccesscanoccur,andwhatthoseaccessingtheresourceareallowedtodo). Dataconfidentiality:Theprotectionofdatafromunauthorizeddisclosure. Dataintegrity:Theassurancethatdatareceivedareexactlyassentbyanauthorizedentity(i.e.,containnomodification,insertion,deletion,orreplay). Nonrepudiation:Providesprotectionagainstdenialbyoneoftheentitiesinvolvedinacommunicationofhavingparticipatedinallorpartofthecommunication. Availabilityservice:Thepropertyofasystemorasystemresourcebeingaccessibleandusableupondemandbyanauthorizedsystementity,accordingtoperformancespecificationsforthesystem(i.e.,asystemisavailableifitprovidesservicesaccordingtothesystemdesignwheneverusersrequestthem).1.5SeeTable1.3.AnswerstoProblems1.1ReleaseofmessagecontentsTrafficanalysisMasqueradeReplayModificationofmessagesDenialofservicePeerentityauthenticationYDataoriginauthenticationYAccesscontrolYConfidentialityYTrafficflowconfidentialityYDataintegrityYYNon-repudiationYAvailabilityY1.2ReleaseofmessagecontentsTrafficanalysisMasqueradeReplayModificationofmessagesDenialofserviceEnciphermentYDigitalsignatureYYYAccesscontrolYYYYYDataintegrityYYAuthenticationexchangeYYYYTrafficpaddingYRoutingcontrolYYYNotarizationYYYChapter2ClassicalEncryptionTechniquesrAnswerstoQuestions2.1Plaintext,encryptionalgorithm,secretkey,ciphertext,decryptionalgorithm.2.2Permutationandsubstitution.2.3Onekeyforsymmetricciphers,twokeysforasymmetricciphers.2.4Astreamcipherisonethatencryptsadigitaldatastreamonebitoronebyteatatime.Ablockcipherisoneinwhichablockofplaintextistreatedasawholeandusedtoproduceaciphertextblockofequallength.2.5Cryptanalysisandbruteforce.2.6 Ciphertextonly.Onepossibleattackunderthesecircumstancesisthebrute-forceapproachoftryingallpossiblekeys.Ifthekeyspaceisverylarge,thisbecomesimpractical.Thus,theopponentmustrelyonananalysisoftheciphertextitself,generallyapplyingvariousstatisticalteststoit.Knownplaintext.Theanalystmaybeabletocaptureoneormoreplaintextmessagesaswellastheirencryptions.Withthisknowledge,theanalystmaybeabletodeducethekeyonthebasisofthewayinwhichtheknownplaintextistransformed.Chosenplaintext.Iftheanalystisabletochoosethemessagestoencrypt,theanalystmaydeliberatelypickpatternsthatcanbeexpectedtorevealthestructureofthekey.2.7Anencryptionschemeisunconditionallysecureiftheciphertextgeneratedbytheschemedoesnotcontainenoughinformationtodetermineuniquelythecorrespondingplaintext,nomatterhowmuchciphertextisavailable.Anencryptionschemeissaidtobecomputationallysecureif:(1)thecostofbreakingthecipherexceedsthevalueoftheencryptedinformation,and(2)thetimerequiredtobreakthecipherexceedstheusefullifetimeoftheinformation.2.8TheCaesarcipherinvolvesreplacingeachletterofthealphabetwiththeletterstandingkplacesfurtherdownthealphabet,forkintherange1through25.2.9Amonoalphabeticsubstitutionciphermapsaplaintextalphabettoaciphertextalphabet,sothateachletteroftheplaintextalphabetmapstoasingleuniqueletteroftheciphertextalphabet.2.10ThePlayfairalgorithmisbasedontheuseofa55matrixoflettersconstructedusingakeyword.Plaintextisencryptedtwolettersatatimeusingthismatrix.2.11Apolyalphabeticsubstitutioncipherusesaseparatemonoalphabeticsubstitutioncipherforeachsuccessiveletterofplaintext,dependingonakey.2.12 1.Thereisthepracticalproblemofmakinglargequantitiesofrandomkeys.Anyheavilyusedsystemmightrequiremillionsofrandomcharactersonaregularbasis.Supplyingtrulyrandomcharactersinthisvolumeisasignificanttask.2.Evenmoredauntingistheproblemofkeydistributionandprotection.Foreverymessagetobesent,akeyofequallengthisneededbybothsenderandreceiver.Thus,amammothkeydistributionproblemexists.2.13Atranspositioncipherinvolvesapermutationoftheplaintextletters.2.14Steganographyinvolvesconcealingtheexistenceofamessage.AnswerstoProblems2.1 a.No.Achangeinthevalueofbshiftstherelationshipbetweenplaintextlettersandciphertextletterstotheleftorrightuniformly,sothatifthemappingisone-to-oneitremainsone-to-one.b.2,4,6,8,10,12,13,14,16,18,20,22,24.Anyvalueofalargerthan25isequivalenttoamod26.c.Thevaluesofaand26musthavenocommonpositiveintegerfactorotherthan1.Thisisequivalenttosayingthataand26arerelativelyprime,orthatthegreatestcommondivisorofaand26is1.Toseethis,firstnotethatE(a,p)=E(a,q)(0≤p≤q<26)ifandonlyifa(p–q)isdivisibleby26.1.Supposethataand26arerelativelyprime.Then,a(p–q)isnotdivisibleby26,becausethereisnowaytoreducethefractiona/26and(p–q)islessthan26.2.Supposethataand26haveacommonfactork>1.ThenE(a,p)=E(a,q),ifq=p+m/k≠p.2.2Thereare12allowablevaluesofa(1,3,5,7,9,11,15,17,19,21,23,25).Thereare26allowablevaluesofb,from0through25).ThusthetotalnumberofdistinctaffineCaesarciphersis1226=312.2.3Assumethatthemostfrequentplaintextletteriseandthesecondmostfrequentletterist.Notethatthenumericalvaluesaree=4;B=1;t=19;U=20.Thenwehavethefollowingequations: 1=(4a+b)mod26 20=(19a+b)mod26 Thus,19=15amod26.Bytrialanderror,wesolve:a=3. Then1=(12+b)mod26.Byobservation,b=15.2.4 AgoodglassintheBishop'shostelintheDevil'sseat—twenty-onedegreesandthirteenminutes—northeastandbynorth—mainbranchseventhlimbeastside—shootfromthelefteyeofthedeath'shead—abeelinefromthetreethroughtheshotfiftyfeetout.(fromTheGoldBug,byEdgarAllanPoe)2.5a. ThefirstlettertcorrespondstoA,thesecondletterhcorrespondstoB,eisC,sisD,andsoon.Secondandsubsequentoccurrencesofaletterinthekeysentenceareignored.Theresultciphertext:SIDKHKDMAFHCRKIABIESHIMCKDLFEAILA plaintext:basilisktoleviathanblakeiscontactb. Itisamonalphabeticcipherandsoeasilybreakable.c. Thelastsentencemaynotcontainallthelettersofthealphabet.Ifthefirstsentenceisused,thesecondandsubsequentsentencesmayalsobeuseduntilall26lettersareencountered.2.6 Thecipherreferstothewordsinthepageofabook.Thefirstentry,534,referstopage534.Thesecondentry,C2,referstocolumntwo.Theremainingnumbersarewordsinthatcolumn.ThenamesDOUGLASandBIRLSTONEaresimplywordsthatdonotappearonthatpage.Elementary!(fromTheValleyofFear,bySirArthurConanDoyle)2.7 a.28107963145CRYPTOGAHIBEATTHETHIRDPILLARFROMTHELEFTOUTSIDETHELYCEUMTHEATRETONIGHTATSEVENIFYOUAREDISTRUSTFULBRINGTWOFRIENDS42810563719NETWORKSCUTRFHEHFTINBROUYRTUSTEAETHGISREHFTEATYRNDIROLTAOUGSHLLETINIBITIHIUOVEUFEDMTCESATWTLEDMNEDLRAPTSETERFO ISRNGBUTLFRRAFRLIDLPFTIYONVSEETBEHIHTETA EYHATTUCMEHRGTAIOENTTUSRUIEADRFOETOLHMET NTEDSIFWROHUTELEITDSb. Thetwomatricesareusedinreverseorder.First,theciphertextislaidoutincolumnsinthesecondmatrix,takingintoaccounttheorderdictatedbythesecondmemoryword.Then,thecontentsofthesecondmatrixarereadlefttoright,toptobottomandlaidoutincolumnsinthefirstmatrix,takingintoaccounttheorderdictatedbythefirstmemoryword.Theplaintextisthenreadlefttoright,toptobottom.c. Althoughthisisaweakmethod,itmayhaveusewithtime-sensitiveinformationandanadversarywithoutimmediateaccesstogoodcryptanalysis(e.g.,tacticaluse).Plusitdoesn'trequireanythingmorethanpaperandpencil,andcanbeeasilyremembered.2.8SPUTNIK2.9PTBOATONEOWENINELOSTINACTIONINBLACKETTSTRAITTWOMILESSWMERESUCOVEXCREWOFTWELVEXREQUESTANYINFORMATION2.10 a.LARGESTBCDFHI/JKMNOPQUVWXYZ b.OCURENABDFGHI/JKLMPQSTVWXYZ2.11 a.UZTBDLGZPNNWLGTGTUEROVLDBDUHFPERHWQSRZb. UZTBDLGZPNNWLGTGTUEROVLDBDUHFPERHWQSRZc.Acyclicrotationofrowsand/orcolumnsleadstoequivalentsubstitutions.Inthiscase,thematrixforpartaofthisproblemisobtainedfromthematrixofProblem2.10a,byrotatingthecolumnsbyonestepandtherowsbythreesteps.2.12a.25!284b.Givenany5x5configuration,anyofthefourrowrotationsisequivalent,foratotaloffiveequivalentconfigurations.Foreachofthesefiveconfigurations,anyofthefourcolumnrotationsisequivalent.Soeachconfigurationinfactrepresents25equivalentconfigurations.Thus,thetotalnumberofuniquekeysis25!/25=24!2.13AmixedCaesarcipher.Theamountofshiftisdeterminedbythekeyword,whichdeterminestheplacementoflettersinthematrix.2.14 a.Difficultiesarethingsthatshowwhatmenare.b.Irrationallyheldtruthsmaybemoreharmfulthanreasonederrors.2.15 a.Weneedanevennumberofletters,soappenda"q"totheendofthemessage.Thenconvertthelettersintothecorrespondingalphabeticpositions:Meetmeattheusual1355201351202085211921112Placeattenrather161213512020514181208518Thaneightoclockq208114597820153121531117Thecalculationsproceedtwolettersatatime.Thefirstpair: Thefirsttwociphertextcharactersarealphabeticpositions7and22,whichcorrespondtoGV.Thecompleteciphertext:GVUIGVKODZYPUHEKJHUZWFZFWSJSDZMUDZMYCJQMFWWUQRKR b.Wefirstperformamatrixinversion.Notethatthedeterminateoftheencryptionmatrixis(97)–(45)=43.Usingthematrixinversionformulafromthebook: Hereweusedthefactthat(43)–1=23inZ26.Oncetheinversematrixhasbeendetermined,decryptioncanproceed.Source:[LEWA00].2.16 ConsiderthematrixKwithelementskijtoconsistofthesetofcolumnvectorsKj,where: and Theciphertextofthefollowingchosenplaintextn-gramsrevealsthecolumnsofK:(B,A,A,…,A,A)K1(A,B,A,…,A,A)K2(A,A,A,…,A,B)Kn2.17 a. 7134b. 7134c. 134d. 10134e. 24132f. 24 (132–1)13g. 37648 h. 23530 i. 1572482.18key:legleglegle plaintext:explanation ciphertext:PBVWETLXOZR2.19 a.sendmoremoney18413312141741214134249017231521141111289141410931218232515127BECKJDMSXZPMH b.cashnotneeded201871314191344343254223221519519211284141410931218232515127BECKJDMSXZPMH2.20 yourpackagereadyFriday21stroomthreePleasedestroythisimmediately.2.21 a. Laythemessageoutinamatrix8lettersacross.Eachintegerinthekeytellsyouwhichlettertochooseinthecorrespondingrow.Result: Hesittethbetweenthecherubims.Theislesmaybegladthereof.Astheriversinthesouth.b. Quitesecure.Ineachrowthereisoneofeightpossibilities.Soiftheciphertextis8nlettersinlength,thenthenumberofpossibleplaintextsis8n.c. Notverysecure.LordPeterfigureditout.(fromTheNineTailors)Chapter3BlockCiphersandtheDataEncryptionStandardAnswerstoQuestions3.1MostsymmetricblockencryptionalgorithmsincurrentusearebasedontheFeistelblockcipherstructure.Therefore,astudyoftheFeistelstructurerevealstheprinciplesbehindthesemorerecentciphers.3.2Astreamcipherisonethatencryptsadigitaldatastreamonebitoronebyteatatime.Ablockcipherisoneinwhichablockofplaintextistreatedasawholeandusedtoproduceaciphertextblockofequallength.3.3Ifasmallblocksize,suchasn=4,isused,thenthesystemisequivalenttoaclassicalsubstitutioncipher.Forsmalln,suchsystemsarevulnerabletoastatisticalanalysisoftheplaintext.Foralargeblocksize,thesizeofthekey,whichisontheorderofn2n,makesthesystemimpractical.3.4Inaproductcipher,twoormorebasicciphersareperformedinsequenceinsuchawaythatthefinalresultorproductiscryptographicallystrongerthananyofthecomponentciphers.3.5Indiffusion,thestatisticalstructureoftheplaintextisdissipatedintolong-rangestatisticsoftheciphertext.Thisisachievedbyhavingeachplaintextdigitaffectthevalueofmanyciphertextdigits,whichisequivalenttosayingthateachciphertextdigitisaffectedbymanyplaintextdigits.Confusionseekstomaketherelationshipbetweenthestatisticsoftheciphertextandthevalueoftheencryptionkeyascomplexaspossible,againtothwartattemptstodiscoverthekey.Thus,eveniftheattackercangetsomehandleonthestatisticsoftheciphertext,thewayinwhichthekeywasusedtoproducethatciphertextissocomplexastomakeitdifficulttodeducethekey.Thisisachievedbytheuseofacomplexsubstitutionalgorithm.3.6 Blocksize:Largerblocksizesmeangreatersecurity(allotherthingsbeingequal)butreducedencryption/decryptionspeed.Keysize:Largerkeysizemeansgreatersecuritybutmaydecreaseencryption/decryptionspeed.Numberofrounds:TheessenceoftheFeistelcipheristhatasingleroundoffersinadequatesecuritybutthatmultipleroundsofferincreasingsecurity.Subkeygenerationalgorithm:Greatercomplexityinthisalgorithmshouldleadtogreaterdifficultyofcryptanalysis.Roundfunction:Again,greatercomplexitygenerallymeansgreaterresistancetocryptanalysis.Fastsoftwareencryption/decryption:Inmanycases,encryptionisembeddedinapplicationsorutilityfunctionsinsuchawayastoprecludeahardwareimplementation.Accordingly,thespeedofexecutionofthealgorithmbecomesaconcern.Easeofanalysis:Althoughwewouldliketomakeouralgorithmasdifficultaspossibletocryptanalyze,thereisgreatbenefitinmakingthealgorithmeasytoanalyze.Thatis,ifthealgorithmcanbeconciselyandclearlyexplained,itiseasiertoanalyzethatalgorithmforcryptanalyticvulnerabilitiesandthereforedevelopahigherlevelofassuranceastoitsstrength.3.7TheS-boxisasubstitutionfunctionthatintroducesnonlinearityandaddstothecomplexityofthetransformation.3.8Theavalancheeffectisapropertyofanyencryptionalgorithmsuchthatasmallchangeineithertheplaintextorthekeyproducesasignificantchangeintheciphertext.3.9 DifferentialcryptanalysisisatechniqueinwhichchosenplaintextswithparticularXORdifferencepatternsareencrypted.Thedifferencepatternsoftheresultingciphertextprovideinformationthatcanbeusedtodeterminetheencryptionkey.Linearcryptanalysisisbasedonfindinglinearapproximationstodescribethetransformationsperformedinablockcipher.AnswerstoProblems3.1 a.Forann-bitblocksizeare2npossibledifferentplaintextblocksand2npossibledifferentciphertextblocks.Forboththeplaintextandciphertext,ifwetreattheblockasanunsignedinteger,thevaluesareintherange0through2n–1.Foramappingtobereversible,eachplaintextblockmustmapintoauniqueciphertextblock.Thus,toenumerateallpossiblereversiblemappings,theblockwithvalue0canmapintoanyoneof2npossibleciphertextblocks.Foranygivenmappingoftheblockwithvalue0,theblockwithvalue1canmapintoanyoneof2n–1possibleciphertextblocks,andsoon.Thus,thetotalnumberofreversiblemappingsis(2n)!.b.Intheory,thekeylengthcouldbelog2(2n)!bits.Forexample,assigneachmappinganumber,from1through(2n)!andmaintainatablethatshowsthemappingforeachsuchnumber.Then,thekeywouldonlyrequirelog2(2n)!bits,butwewouldalsorequirethishugetable.Amorestraightforwardwaytodefinethekeyistohavethekeyconsistoftheciphertextvalueforeachplaintextblock,listedinsequenceforplaintextblocks0through2n–1.ThisiswhatissuggestedbyTable3.1.Inthiscasethekeysizeisn2nandthehugetableisnotrequired.3.2Becauseofthekeyschedule,theroundfunctionsusedinrounds9through16aremirrorimagesoftheroundfunctionsusedinrounds1through8.Fromthisfactweseethatencryptionanddecryptionareidentical.Wearegivenaciphertextc.Letm'=c.Asktheencryptionoracletoencryptm'.Theciphertextreturnedbytheoraclewillbethedecryptionofc.3.3a. WeneedonlydeterminetheprobabilitythatfortheremainingN–tplaintextsPi,wehaveE[K,Pi]≠E[K',Pi].ButE[K,Pi]=E[K',Pi]foralltheremainingPiwithprobability1–1/(N–t)!.b. WithoutlossofgeneralitywemayassumetheE[K,Pi]=PisinceEK(?)istakenoverallpermutations.ItthenfollowsthatweseektheprobabilitythatapermutationonN–tobjectshasexactlyt'fixedpoints,whichwouldbetheadditionalt'pointsofagreementbetweenE(K,?)andE(K',?).ButapermutationonN–tobjectswitht'fixedpointsisequaltothenumberofwayst'outofN–tobjectscanbefixed,whiletheremainingN–t–t'arenotfixed.ThenusingProblem3.4wehavethat Pr(t'additionalfixedpoints) =Pr(nofixedpointsinN–t–t'objects) = Weseethatthisreducestothesolutiontopart(a)whent'=N–t.3.4 Letbethesetofpermutationson[0,1,...,2n–1],whichisreferredtoasthesymmetricgroupon2nobjects,andletN=2n.For0≤i≤N,letAibeallmappingsforwhichπ(i)=i.Itfollowsthat|Ai|=(N–1)!and=(N–k)!.Theinclusion-exclusionprinciplestatesthat Pr(nofixedpointsinπ) = = = 1–1+1/2!–1/3!+...+(–1)N1/N! = e–1+ Thensincee–10.368,wefindthatforevensmallvaluesofN,approximately37%ofpermutationscontainnofixedpoints.3.53.6MainkeyK=111…111(56bits) RoundkeysK1=K2=…=K16=1111..111(48bits) CiphertextC=1111…111(64bits) Inputtothefirstroundofdecryption= LD0RD0=RE16LE16=IP(C)=1111...111(64bits) LD0=RD0=1111...111(32bits) Outputofthefirstroundofdecryption=LD1RD1 LD1=RD0=1111…111(32bits) Thus,thebitsno.1and16oftheoutputareequalto‘1’. RD1=LD0F(RD0,K16) Wearelookingforbitsno.1and16ofRD1(33and48oftheentireoutput). BasedontheanalysisofthepermutationP,bit1ofF(RD0,K16)comesfromthefourthoutputoftheS-boxS4,andbit16ofF(RD0,K16)comesfromthesecondoutputoftheS-boxS3.ThesebitsareXOR-edwith1’sfromthecorrespondingpositionsofLD0. InsideofthefunctionF, E(RD0)≈K16=0000…000(48bits), andthusinputstoalleightS-boxesareequalto“000000”. OutputfromtheS-boxS4=“0111”,andthusthefourthoutputisequalto‘1’, OutputfromtheS-boxS3=“1010”,andthusthesecondoutputisequalto‘0’. Fromhere,aftertheXOR,thebitno.33ofthefirstroundoutputisequalto‘0’,andthebitno.48isequalto‘1’.3.7InthesolutiongivenbelowthefollowinggeneralpropertiesoftheXORfunctionareused:A1=A'(AB)'=A'B=AB'A'B'=ABWhereA'=thebitwisecomplementofA. a. F(Rn,Kn+1)=1 Wehave Ln+1=Rn;Rn+1=LnF(Rn,Kn+1)=Ln1=Ln' Thus Ln+2=Rn+1=Ln';Rn+2=Ln+1=Rn' i.e.,aftereachtworoundsweobtainthebitcomplementoftheoriginalinput,andeveryfourroundsweobtainbacktheoriginalinput: Ln+4=Ln+2'=Ln;Rn+2=Rn+2'=Rn Therefore, L16=L0;R16=R0 AninputtotheinverseinitialpermutationisR16L16. Therefore,thetransformationcomputedbythemodifiedDEScanberepresentedasfollows: C=IP–1(SWAP(IP(M))),whereSWAPisapermutationexchangingthepositionoftwohalvesoftheinput:SWAP(A,B)=(B,A). Thisfunctionislinear(andthusalsoaffine).Actually,thisisapermutation,theproductofthreepermutationsIP,SWAP,andIP–1.Thispermutationishoweverdifferentfromtheidentitypermutation.b.F(Rn,Kn+1)=Rn' Wehave Ln+1=Rn;Rn+1=LnF(Rn,Kn+1)=LnRn' Ln+2=Rn+1=LnRn' Rn+2=Ln+1F(Rn+1,Kn+2)=Rn≈(LnRn')'=RnLnRn''=Ln Ln+3=Rn+2=Ln Rn+3=Ln+2F(Rn+2,Kn+3)=(Ln≈Rn')Ln'=Rn'1=Rn i.e.,aftereachthreeroundswecomebacktotheoriginalinput. L15=L0;R15=R0 and L16=R0(1) R16=L0R0'(2) AninputtotheinverseinitialpermutationisR16L16. Afunctiondescribedby(1)and(2)isaffine,asbitwisecomplementisaffine,andtheothertransformationsarelinear. ThetransformationcomputedbythemodifiedDEScanberepresentedasfollows: C=IP–1(FUN2(IP(M))),whereFUN2(A,B)=(AB',B). Thisfunctionisaffineasaproductofthreeaffinefunctions. Inallcasesdecryptionlooksexactlythesameasencryption.3.8 a.First,passthe64-bitinputthroughPC-1(Table3.4a)toproducea56-bitresult.Thenperformaleftcircularshiftseparatelyonthetwo28-bithalves.Finally,passthe56-bitresultthroughPC-2(Table3.4b)toproducethe48-bitK1.: inbinarynotation: 000010110000001001100111 100110110100100110100101 inhexadecimalnotation: 0B02679B49A5b.L0,R0arederivedbypassingthe64-plaintextthroughIP(Table3.2a): L0=11001100000000001100110011111111 R0=11110000101010101111000010101010c.TheEtable(Table3.2c)expandsR0to48bits: E(R0)=01110100001010101010101011110100001010101010101d.A=011100010001011100110010111000010101110011110000e.(1110)=(14)= 0(base10) = 0000(base2)(1000)=(8)= 12(base10) = 1100(base2)(1110)=(14)= 2(base10) = 0010(base2)(1001)=(9)= 1(base10) = 0001(base2)(1100)=(12)= 6(base10) = 0110(base2)(1010)=(10)= 13(base10) = 1101(base2)(1001)=(9)= 5(base10) = 0101(base2)(1000)=(8)= 0(base10) = 0000(base2)f.B=00001100001000010110110101010000g.UsingTable3.2d,P(B)=10010010000111000010000010011100h.R1=01011110000111001110110001100011i.L1=R0.TheciphertextistheconcatenationofL1andR1.Source:[MEYE82]3.9 ThereasoningfortheFeistelcipher,asshowninFigure3.6appliesinthecaseofDES.WeonlyhavetoshowtheeffectoftheIPandIP–1functions.Forencryption,theinputtothefinalIP–1isRE16||LE16.Theoutputofthatstageistheciphertext.Ondecryption,thefirststepistotaketheciphertextandpassitthroughIP.BecauseIPistheinverseofIP–1,theresultofthisoperationisjustRE16||LE16,whichisequivalenttoLD0||RD0.Then,wefollowthesamereasoningaswiththeFeistelciphertoreachapointwhereLE0=RD16andRE0=LD16.DecryptioniscompletedbypassingLD0||RD0throughIP–1.Again,becauseIPistheinverseofIP–1,passingtheplaintextthroughIPasthefirststepofencryptionyieldsLD0||RD0,thusshowingthatdecryptionistheinverseofencryption.3.10a. Letusworkthisfromtheinsideout. T16(L15||R15)=L16||R16 T17(L16||R16)=R16||L16 IP[IP–1(R16||L16)]=R16||L16 TD1(R16||L16)=R15||L15b. T16(L15||R15)=L16||R16IP[IP–1(L16||R16)]=L16||R16TD1(R16||L16)=R16||L16f(R16,K16) ≠L15||R153.11 PC-1isessentiallythesameasIPwitheveryeighthbiteliminated.Thiswouldenableasimilartypeofimplementation.Beyondthat,theredoesnotappeartobeanyparticularcryptographicsignificance.3.12Roundnumber12345678910111213141516Bitsrotated01222222122222213.13a. Theequalityinthehintcanbeshownbylistingall1-bitpossibilities:ABAB(AB)'A'B00011011001010011011 WealsoneedtheequalityAB=A'B',whichiseasilyseentobetrue.Now,considerthetwoXORoperationsinFigure3.8.Iftheplaintextandkeyforanencryptionarecomplemented,thentheinputstothefirstXORarealsocomplemented.Theoutput,then,isthesameasfortheuncomplementedinputs.Furtherdown,weseethatonlyoneofthetwoinputstothesecondXORiscomplemented,therefore,theoutputisthecomplementoftheoutputthatwouldbegeneratedbyuncomplementedinputs.b. Inachosenplaintextattack,ifforchosenplaintextX,theanalystcanobtainY1=E[K,X]andY2=E[K,X'],thenanexhaustivekeysearchrequiresonly255ratherthan256encryptions.Toseethis,notethat(Y2)'=E[K',X].Now,pickatestvalueofthekeyTandperformE[T,X].IftheresultisY1,thenweknowthatTisthecorrectkey.Iftheresultis(Y2)',thenweknowthatT'isthecorrectkey.Ifneitherresultappears,thenwehaveeliminatedtwopossiblekeyswithoneencryption.3.14 Theresultcanbedemonstratedbytracingthroughthewayinwhichthebitsareused.Aneasy,butnotnecessary,waytoseethisistonumberthe64bitsofthekeyasfollows(readeachverticalcolumnof2digitsasanumber):2113355-1025554-0214434-1123334-0012343-2021453-2435-0110454-1031975-1176107-2423401-7632789-7452553-0858846-6836043-9495226- Thefirstbitofthekeyisidentifiedas21,thesecondas10,thethirdas13,andsoon.Theeightbitsthatarenotusedinthecalculationareunnumbered.Thenumbers01through28and30through57areused.Thereasonforthisassignmentistoclarifythewayinwhichthesubkeysarecho