CS255: Cryptography and Computer Security Winter 2007
Assignment #1: Solutions
Problem 1 Secret sharing.
a. Suppose Alice shares a secret block cipher key, KAB with Bob, and a different secret
block cipher key, KAC with Charlie. Describe a method for Alice to encrypt an m-
block message such that it can only be decrypted with the cooperation of both Bob
and Charlie. The ciphertext should only be a constant size greater than m blocks. You
may assume that Bob and Charlie have a pre-established secret channel on which to
communicate.
Alice can first pick a random key K to encrypt the message M , and then she encrypts
the key K with both KAB and KAC . In other words, Alice does the following:
EK [EK (K)] k EK (M )
| AB {z AC }
header
b. Now, suppose Alice shares a block cipher key, KAB with Bob, a block cipher key KAC
with Charlie, and a block cipher key KAD with David. Describe a method for Alice to
encrypt an m-block message such that any two of Bob, Charlie, and David can decrypt
(for example, Bob and Charlie can decrypt), but none of them can decrypt the message
themselves. Again, the ciphertext should only be a constant size greater than m blocks.
Hint: Pick a random message encryption key to encrypt the message with. Then add
three ciphertext blocks to the ciphertext header.
Similar to Part a, Alice does the following:
EK [EKAC (K)] k EKAB [EKAD (K)] k EKAC [EKAD (K)] k EK (M )
| AB {z }
header
c. How does your solution from part (b) scale as we increase the number of recipients? In
other words, suppose Alice has a secret key with each of n recipients and wants to encrypt
so that any k out of n recipients can decrypt, but any k − 1 cannot. What would be the
length of the header as a function of n and k?
Your answer shows that this solution scales poorly. We will discuss a far more efficient
solution later on in the class.
It is straightforward to generalize the above scheme to the case where any k out of the
n �recipients can decrypt, but any k − 1 cannot. The length of the header would be
n
k = n!/k!(n − k)!. Note that we have the inequalities:
� n �k �n� � ne �k
≤ ≤
k k k
1
� This shows that the proposed solution scales poorly.
Problem 2 The movie industry wants to protect digital content distributed on DVD’s. We study
one possible approach. Suppose there are at most a total of n DVD players in the world (e.g.
n = 232 ). We view these n players as the leaves of a binary tree of height log 2 n. Each node vi
in this binary tree contains an AES key Ki . These keys are kept secret from consumers and
are fixed for all time. At manufacturing time each DVD player is assigned a serial number
i ∈ [0, n − 1]. Consider the set Si of log2 n nodes along the path from the root to leaf number
i in the binary tree. The manufacturer of the DVD player embeds in player number i the
log2 n keys associated with the nodes in Si . In this way each DVD player ships with log 2 n
keys embedded in it (these keys are supposedly inaccessible to consumers). A DVD movie M
is encrypted as
DV D = EKroot (K)
E (M )
| {z }
| K{z }
header body
where K is some random AES key called a content-key. Since all DVD players have the key
Kroot all players can decrypt the movie M . We refer to EKroot (K) as the header and EK (M )
as the body. In what follows the DVD header may contain multiple ciphertexts where each
ciphertext is the encryption of the content-key K under some key Ki in the binary tree.
a. Suppose the log2 n keys embedded in DVD player number r are exposed by hackers and
published on the Internet (say in a program like DeCSS). Show that when the movie
industry is about to distribute a new DVD movie they can encrypt the contents of the
DVD using a header of size log2 n so that all DVD players can decrypt the movie except
for player number r. In effect, the movie industry disables player number r.
Hint: the header will contain log2 n ciphertexts where each ciphertext is the encryption
of the content-key K under certain log 2 n keys from the binary tree.
Let nodes v1 , . . . , vlog2 n be the nodes along the path from the root of the tree to leaf node
number r. Since the tree is binary every node vi for i = 2, . . . , log2 n has exactly one
sibling. Let u2 , u3 , . . . , ulog2 n be the siblings of nodes v2 , . . . , vlog2 n . Let K2 , . . . , Klog2 n
be the AES keys associated with the nodes u2 , . . . , ulog2 n . The header will contain the
encryption of the content-key K under all keys K = {K2 , . . . , Klog2 n }. Clearly player
number r cannot decrypt the movie since it does not have any of the keys in K. However,
any other player t 6= r can decrypt the movie. To see this, consider the path from the
root of the binary tree to leaf node t. Let u be the highest node along this path that
does not appear on the path from the root to leaf node r. Then the key K u associated
with node u is in the set K (since the sibling of u is a on on the path to r). Furthermore,
player t contains the key Ku and it can therefore obtain the content-key and then the
movie. Hence, player r cannot play the movie, but all other players can.
b. Suppose the keys embedded in k DVD players R = {r1 , . . . , rk } are exposed by hackers.
Show that the movie industry can encrypt the contents of a new DVD using a header
of size O(k log n) so that all players can decrypt the movie except for the players in
R. You have just shown that all hacked players can be disabled without affecting other
consumers.
2
� For i = 1, . . . , k let Ui be the set of consecutive leaves in the range [ri , ri+1 ] (we are
assuming r0 = 0 and rk+1 = n). For an internal node v in the binary tree let Sv be
the set of leaves in the subtree rooted at v. We say that a set of leaves U i is exactly
covered by internal nodes v1 , . . . , vb if Ui = ∪bj=1 Svj . We show below that each set Ui
can be exactly covered by a set of at most 2 log 2 n internal nodes. This means that
to exactly cover all sets U0 , . . . , Ur we need at most c = 2(r + 1) log2 n internal nodes.
Let v1 , . . . , vc be the internal nodes needed to cover all of U0 , . . . , Ur . If we encrypt the
content-key using the keys Kv associated with each of these nodes then all players other
than those in R can recover the content-key while the players in R cannot. This shows
that using header containing at most 2(r + 1) log 2 n ciphertexts we can revoke all players
in R without affective any of the other players.
It remains to show that given a set of consecutive leaves U in some range [a, b] it is
possible to exactly cover U using at most 2 log 2 n internal nodes. Let u1 be the highest
node in the tree so that the subtree rooted at u1 has leaf a as its left most leaf. Let v1
be the highest node in the tree so that the subtree rooted at v1 has leaf b as its right
most leaf. Now, for i = 2, . . . , log2 n define ui to be the right sibling of the parent of ui−1
(the right sibling of a node w is the node at the same height as w which is immediately
on the right of w). Similarly, define vi to be the left sibling of the parent of vi−1 . Let
j be the smallest value so that uj = vj or that uj , vj are adjacent siblings in the tree.
Then it is easy to see that u1 , . . . , uj , vj , . . . , v1 is an exact cover of [a, b]. This covering
set contains at most 2 log2 n nodes as required.
Problem 3 Let E, D be the encryption/decryption algorithms of a certain block cipher. Consider
the following chaining method for double DES like encryption:
m1 m2 m3 m4
k + + + +
k1 E k1 E k1 E k1 E
k2 E k2 E k2 E k2 E
c1 c2 c3 c4
The secret key is a triple (k, k1 , k2 ) where k is as long as E’s block size (64 bits for DES) and
k1 , k2 are as long as E’s key size (56 bits for DES). For example, when E is DES the total key
size is 64+56+56 = 176 bits.
a. Describe the decryption circuit for this system.
3
� c1 c2 c3 c4
k2 D k2 D k2 D k2 D
k1 D k1 D k1 D k1 D
k + + + +
m1 m2 m3 m4
b. Show that using two short chosen ciphertext decryption queries an attacker can recover
the full key (k, k1 , k2 ) in approximately the time it takes to run algorithm D 2` times
(i.e. the attack running time should be O(2` time(D)). Here ` is the block cipher’s key-
length (56 bits for DES). Your attack shows that this system can be broken much faster
than exhaustive search.
Hint: Consider the two decryption queries hC1 , C2 , C3 , C4 i and hC10 , C2 , C30 , C4 i where
C1 , . . . , C4 and C10 , C30 are random ciphertext blocks.
Following the hint, query the chosen ciphertext oracle on randomly-chosen inputs hC 1 ,
C2 , C3 , C4 i and hC10 , C2 , C30 , C4 i to get hM1 , M2 , M3 , M4 i and hM10 , M20 , M30 , M40 i.
¿From the decryption circuit we see
M2 = Dk2 (C1 ) ⊕ Dk1 (Dk2 (C2 )),
M20 = Dk2 (C10 ) ⊕ Dk1 (Dk2 (C2 )),
M4 = Dk2 (C3 ) ⊕ Dk1 (Dk2 (C4 )),
M40 = Dk2 (C30 ) ⊕ Dk1 (Dk2 (C4 )).
If we pair these equations and take xors, we find
M2 ⊕ M20 = Dk2 (C1 ) ⊕ Dk2 (C10 ),
M4 ⊕ M40 = Dk2 (C3 ) ⊕ Dk2 (C30 ).
We iterate over possible candidate keys K2 ∈ {0, 1}` for k2 , and check the following
equations:
?
M2 ⊕ M20 = DK2 (C1 ) ⊕ DK2 (C10 ), (1)
?
M4 ⊕ M40 = DK2 (C3 ) ⊕ DK2 (C30 ). (2)
If we find a unique K2 satisfying both the above, we conclude K2 = k2 and proceed to
the next step of the attack. (We come back to the probability analysis for uniqueness
below.) Otherwise, choose new random Ci and Ci0 and restart.
Now notice
M2 = Dk2 (C1 ) ⊕ Dk1 (Dk2 (C2 )),
M3 = Dk2 (C2 ) ⊕ Dk1 (Dk2 (C3 )).
4
� Cache Xi := Dk2 (Ci ) for i = 1, 2, 3. We can rewrite these equations as
Mi ⊕ Xi = Dk1 (Xi+1 )
for i = 1, 2. We iterate over possible candidates K1 for k1 , and check if the following
equations hold.
?
Mi ⊕ X1 = DK1 (X2 ) (3)
?
Mi ⊕ X2 = DK1 (X3 ) (4)
If we find a unique K1 satisfying equations (3) and (4), we conclude K1 = k1 and proceed
to next step of the attack.
Lastly, once k1 and k2 have been found, we can compute k = M1 ⊕Dk1 (Dk2 (C1 )) directly.
Probability Analysis and Running Time: If we model each DK2 , K2 6= k2 as
a random permutation, then DK2 (Ci ) and DK2 (Ci0 ) are independent, uniform random
variables in {0, 1}B , where B is the block size of D. So DK2 (Ci ) ⊕ DK2 (Ci0 ) is uniformly
random in {0, 1}B . Consequently, the probability that a particular K2 6= k2 satisfies
equation (1) is 2−B . Similarly for equation (2).
Since hC1 , C10 i and hC3 , C30 i are independent, the probability that a particular K2 6= k2
satisfies both equations (1) and (2) is 2−2B . So
Pr[∃K2 6= k2 s.t. DK2 (Ci ) ⊕ DK2 (Ci0 ) = Mi+1 ⊕ Mi+1 0
, i = 1, 3]
X
≤ Pr[DK2 (Ci ) ⊕ DK2 (Ci0 ) = Mi+1 ⊕ Mi+1
0
, i = 1, 3]
K2 6=k2
≤ (2` )(2−2B ) = 2−72 for ` = 56, B = 64.
So the success probability is better than 1 − 2−72 , which is awfully close to 1.
A nearly identical argument holds for the uniqueness of K1 = k1 .
Since there is probability very close to 1 that k1 and k2 are both uniquely determined
and hence found by the above algorithm, an upper bound on the expected running
time of this algorithm is given by approximately one iteration of the main attack. The
number of decryptions executed in the first stage (finding k2 ) is 4 · 2` , and the number
of decryptions executed in the second stage is also 4 · 2` . So the total running time is
bounded above by 8 · 2` · time(D), which is O(2` · time(D)).
Alternatively, we could only check equations (1) and (3) (referring to equations (2) and
(4) if we have nonuniqueness from those equations) which would in practice shave off a
constant factor. . .
Problem 4 Traitor tracing. Satellite content providers (such as satellite radio) often use hardware
players to enforce specific usage policy (e.g. the content cannot be saved after it is played).
Player i contains an encryption key Ki that it uses to decrypt and play the broadcast content.
Now suppose some user j breaks open his player, recovers key Kj , and builds a pirate player P
that decrypts and saves all broadcast content in the clear. When this pirate player P is
somehow found, the content provider would like to tell whose key Kj was used to construct P
(supposedly, this user j will have to answer some tough questions). Finding the key K j that
was used to build P is called tracing and the key Kj is called the traitor key.
5
�Let n = 32 and suppose there are at most 2n players in existence. Consider the following
encryption system:
k0,0 k1,0 k2,0 · · · kn−1,0
Setup: generate 2n keys:
k0,1 k1,1 k2,1 · · · kn−1,1
Player number ` (for ` = 0, 1, . . . , 2n −1) is given key K`P
defined as follows. Let bn−1 bn−2 . . . b0 ∈
{0, 1} be the binary representation of ` (so that ` = n−1
n i
i=0 bi 2 ). Then key K` is
K` = ( k0,b0 , k1,b1 , . . . , kn−1,bn−1 )
Encrypt: to transmit content m, the content provider picks a random i ∈ {0, 1, . . . , n − 1}
and broadcasts via satellite the ciphertext:
C = ( i, E(ki,0 , m), E(ki,1 , m) )
a. Show that all players ` = 0, 1, . . . , 2n − 1 can decrypt the broadcast and obtain m.
For every i ∈ {1, . . . , 32}, a particular player ` has either key ki,0 or key ki,1 , depending
on bi – the i-th bit in the binary representation of `. Given a ciphertext (i, c0 , c1 ), player
` can obtain the message m by decrypting cbi .
b. Suppose key Kj is used to create a pirate decoder P . Show that the content provider
can use P as a black-box and recover the index j. The content owner need not reverse
engineer player P — it only uses P as a black box feeding it ciphertexts and observing the
result. We are assuming that users do not collude so that P is created using knowledge
of a single secret key Kj .
Hint: try to recover one bit of j at a time by feeding P a total of n carefully crafted
ciphertexts C0 , C1 , . . . , Cn−1 .
Assume that the pirate decoder has the key Kj embedded. Suppose we feed the cipher-
text Ci = ( i, E(ki,0 , m0 ), E(ki,1 , m1 ) ) into the player, with m0 and m1 corresponding
to observably different content. If the player plays content m0 (resp. m1 ) then it must
posses the key ki,0 (resp. ki,1 ). Hence, by observing the result, we learn the i-th bit of
index j. By feeding n different ciphertext we can retrieve the complete index j bit by
bit.
c. Suppose a pirate is able to obtain two player keys Ki and Kj for some i, j (where i ⊕ j is
not a power of 2). Show how the pirate can build a player P that will evade detection by
your tracing algorithm from part (b). That is, your tracing algorithm will fail to output
either i or j.
Side note: traitor tracing is a somewhat evil use of cryptography. Fortunately, traitor tracing
systems have a number of applications unrelated to content protection.
Let in−1 in−2 . . . i0 and jn−1 jn−2 . . . j0 be the binary representations of i and j respectively.
Let a be an index where the two binary representation differ – i.e. a ∈ {0, 1, . . . , n − 1} such
6
� that ia 6= ja . We build the pirate player P by replacing the a-th key in player i with the a-th
key from player j. In other words, player P has the following key embedded:
KP = (ki0 , ki1 , . . . , kia−1 , kja , kia+1 , . . . , kin−1 )
Tracing algorithm from part (b) produces the index l = in−1 . . . ia+1 ja ia−1 . . . i0 . Since ia 6= ja
index l is obviously different from i, since i ⊕ j is not a power of 2, index l has to be different
from j as well.
Problem 5 Consider the following CSS-like pseudo random generator. Assume the generator is
used as a stream cipher to encrypt the contents of a DVD.
(n1 + 1)-bit LFSR
(n2 + 1)-bit LFSR
The secret key is n = n1 + n2 bits (recall that n1 = 16 and n2 = 24 for CSS). The top
LFSR is initialized with 1||k1 where k1 is the leftmost n1 bits of the key. The bottom LFSR
is initialized with 1||k2 where k2 is the rightmost n2 bits of the key. The output of the two
LFSR’s is xored and the resulting bitstream is the pseudo random sequence used to encrypt
the plaintext. Show that an attacker who is only given the initial 2n bits of output of this
generator can produce the rest of the output sequence in time approximately 2 min(n1 ,n2 ) .
Hint: Do an exhaustive search on all possible states of one LFSR and try to deduce the state
of the other LFSR.
An exhaustive search attack takes time 2n to produce the rest of the output sequence. Your
attack is much faster. For CSS, your attack takes approximately 216 steps which only takes
a few milliseconds on a modern processor. Consequently, the resulting stream cipher is
completely insecure once a few bits of a plaintext/ciphertext pair are known.
Let K|2n be the 2n-bit output of the keystream generator. And assume that n1 ≤ n2 . We
proceed with the following algorithm:
Iterate through the 2n1 possible states of the unknown n1 bits of the top LFSR. For each
possible state T |n1 +1 we:
1. Generate an additional n2 − n1 bits from the top LFSR using T |n1 +1 as the initial state
of the top LFSR. This yields the first n2 + 1 bits, T |n2 +1 , of the top LFSR’s output.
2. Compute B|n2 +1 = K|n2 +1 ⊕ T . This yields the first n2 + 1 bits, B|n2 +1 output by the
bottom LFSR.
7
� 3. Using T |n1 +1 and B|n2 +1 as the initial states of the top and bottom LFSR’s respectively,
generate K 0 |2n (the proposed first 2n bits of the keystream generator’s output).
4. If K 0 |2n = K|2n then we have a match and, with high probability, can predict the rest
of the keystream. If K 0 |2n 6= K|2n , then we try another initial state of the top LFSR.
This algorithm requires only an exhaustive search over the 2n1 initial states of the top LFSR
(the first bit of both LFSR’s is always 1) and so our attack runs in time O(2n1 ).
Probability Analysis
Let us model both Ts1 (the top LFSR with initial state s1 ) and Bs2 (the bottom LFSR with
initial state s2 ) as random permutations. Then, the first 2n bits produced by Ts1 and Bs2 are
independent, uniform random variables in {0, 1}2n . Thus Ts1 |2n ⊕ Bs2 |2n is an independent,
uniform random variable in {0, 1}2n .
Let s be the actual n bit initial state of the two LFSRs and let s0 represent some n-bit string.
We say that the 4th step of the algorithm fails if it succeeds for some s0 6= s. The probability
that some s0 6= s satisfies the test in step 4 of the algorithm is
Pr[∃(s0 = s01 ||s02 ) 6= s s.t. Ts01 |2n ⊕ Bs02 |2n = K|2n ]
X
≤ Pr[Ts01 |2n ⊕ Bs02 |2n = K|2n ]
s01 6=s1
≤ (2n1 +1 )(2−2n )
So, in the case of CSS, the probability of a unique solution is better that 1 − 2−63 which is
very close to 1.
Problem 6 Given a cryptosystem Ek , define the randomized cryptosystem Fk by
Fk (M ) = (Ek (R), R ⊕ M ),
where R is a random bit string of the same size as the message. That is, the output of F k (M )
is the encryption of a random one-time pad along with the original message XORed with the
random pad. A new independent random pad R is chosen for every encryption.
We consider two attack models. The goal of both models is to reconstruct the actual secret
key k.1
• In the key-reconstruction chosen plaintext attack (KR-CPA), the adversary is allowed to
generate strings M1 , M2 , . . . and for each Mi learn a corresponding ciphertext.
• In the key-reconstruction random plaintext attack (KR-RPA), the adversary is given
random plaintext/ciphertext pairs.
Note that for the case of Fk the opponent has no control over the random pad R used in the
creation of the given plaintext/ciphertext pairs. Clearly a KR-CPA attack gives the attacker
more power than a KR-RPA attack. Consequently, it is harder to build cryptosystems that
are secure against KR-CPA.
Prove that if Ek is secure against KR-RPA attacks then Fk is secure against KR − CPA attacks.
1
This is a very strong goal - one might be able to decrypt messages without ever learning k.
8
�Hint: It is easiest to show the contrapositive. Given an algorithm A that executes a successful
KR − CPA attack against Fk , construct an algorithm B (using A as a “subroutine”) that
executes a successful KR − RPA attack against Ek . First, define precisely what algorithm A
takes as input, what queries it makes, and what it produced as output. Do the same for B.
Then construct an algorithm B that runs A on a certain input and properly answers all of A’s
queries. Show that the output produced by A enables B to complete the KR − RPA attack
against Ek .
Suppose we have an algorithm A which can successfully execute a KR-CPA attack against
Fk , and we wish to break Ek with a KR-RPA attack. That is, we design an algorithm B
which can query to obtain a random plaintext/ciphertext pairs (Ri , Ek (Ri )), and B wishes
to find k.
The basic problem is that in order to use A as a subroutine, we must simulate F k on arbitrary
inputs M .
The algorithm B begins the execution of A, and to each query Mi which A requests to
see encrypted, B obtains a new random plaintext/ciphertext pair (Ri , Ek (Ri )) and responds
with F̃k (M ) := (Ek (Ri ), Ri ⊕ M ). Since each Ri is independent and uniformly random,
the simulated F̃k (M ) have exactly the same distribution as the genuine Fk (M ). So after
some number of queries, A completes its attack successfully and returns the key k, which is
subsequently returned by B.
