MasterMath Cryptology Course
Spring 2023
Part I - Cryptanalysis
dr. ir. Marc Stevens
Email: mastermath AT marc DASH stevens DOT nl
News
- Part I website up
- 9 February: Week 1 material. See 'reverse classroom' format explained below.
The first week the course will be fully online due to public transport strikes.
Watch the prerecorded lectures before the lecture timeslot, as the online
session will be used for getting to know each other, exercises and Q & A.
- 16 February: Week 2 material.
Watch the prerecorded lecture before.
Room is available from 10:00 to prepare, we'll start at 11:00.
- 23 February: cancelled
- 2 March: Week 3 material. Fully online on wonder.me due to public transport strikes.
- 9 March: Week 4 material.
- 13 March: Week 5 material.
- 20 March: Week 6 material.
- Open position for Ph.D. position at CWI & ULeiden on Quantum-Safe
Cryptanalysis: more
information
Note that this half of the course on 'Cryptanalysis' follows the 'reversed classroom'
format.
That is, self-study using lecture notes and prerecorded lectures.
These will be made available each thursday afternoon well in advance for the next classroom session.
The official classroom timeslot will be used for central discussion, individual questions and the exercises.
Nevertheless, feel free to pose questions any time via ELO or email.
Note that we'll start at
11:00 at
Utrecht University, Buys Ballot Gebouw, room 017.
The main entrance to the building is via the 1st floor of Victor J. Koningsbergergebouw.
(Enter through the revolving doors, take the large wide stairs to the 1st
floor. Then walk all the way to the back and take the stairs down, you're
now in BBG.)
The room should be available from
10:00 to prepare.
An exception is the first week which is online on wonder.me due to large public transport strikes.
Course General Information
The official home page is
here.
The official time slot for this course is Thursdays 10:00 - 12:45 at Utrecht
University, Buys Ballot Gebouw, room 017.
The first part will be taught from February 9 to March 23 by
Marc Stevens.
The second part will be taught from March 30 to May 25 by
Tanja Lange.
Note that April 27 and May 18 are national holidays.
The exam is planned for June 8. The exam will be a written or an oral exam, depending on the number of students.
Links:
- wonder.me room
(only for online sessions instead of classroom sessions when announced)
Goal:
Cryptology deals with mathematical techniques for design and analysis of algorithms and protocols for digital security in the presence of malicious adversaries.
For example, encryption and digital signatures are used to construct private and authentic communication channels, which are instrumental to secure Internet transactions.
The goal of this course is to provide insight
into cryptography secure against quantum computers (post-quantum cryptography)
as well as various methods for the mathematical cryptanalysis of cryptographic systems.
This course in cryptology consists of two main topics.
This part will cover various generic attacks against common cryptographic primitives (e.g., block ciphers, hash functions) and cover important cryptanalytic attack techniques like time-memory tradeoffs, linear cryptanalysis, differential cryptanalysis and algebraic cryptanalysis.
See also the website of this part from 2021: link.
Exam
See the MasterMath course website for the exam date and location.
For practice you can look at a previous exam:
(exam.pdf)
(Exclude 6(a) as that material has not been covered this year)
and the exercises below.
Some additional hints can be found here:
(hints.pdf).
Planning
Lecture videos are prerecorded and made available through this website.
The official time slot will be used for exercises and Q & A.
The planned classroom (or online wonder.me when announced) sessions start at 11:00.
Lecture Notes
These notes will be updated as the course continues.
Lecture Notes (version 2021 march 31).
Lecture 1 Material
- Lecture Notes chapters 1 - 4.
- Introduction Video: YouTube.
<= watch first, but please disregard any information about the 2021 edition
of this course when this was recorded.
- Lecture (full): Online Powerpoint with
Video (PDF slides)
or YouTube.
- Errrata: Hellman's Online complexity in the lecture video has a typo. It should be
O(rt + rmt^3/|K|).
- Addendum: Computing the total success probability of Hellman's attack by
simply multiplying the individual table success probability by the amount of
tables is a first order approximation sufficient for this course and the exercise. But there
is some loss due to overlap between tables. To be more precise, an accurate calculation can
be done as follows.
Lecture 2 Material
Lecture 3 Material
- Lecture Notes chapter 6 - 6.7.2.
- Lecture Online Powerpoint
(PDF slides)
or YouTube.
- Errrata: slide 14: The block cipher oracle results in bias +/- 1/32, thus
probability 0.5 +/- 1/32. The random oracle results in bias 0, thus probability
0.5.
Lecture 4 Material
- Lecture Notes chapter 6.7.3 - 7.5.
- Lecture Online Powerpoint
(PDF slides)
or YouTube.
- Errrata: slide 2: The block cipher oracle results in bias +/- 1/32, thus
probability 0.5 +/- 1/32. The random oracle results in bias 0, thus probability
0.5.
Lecture 5 Material
Lecture 6 Material
Files
Files belonging to chapters.
Files belonging to chapter 6
You can check out this
SAGE tutorial.
Exercises
I recommend doing the exercises.
Solutions can emailed to the email address above if you want me to verify.
Please use subject line "[exercise N]".
Questions can be placed online, via email or in the designated Q & A session.
Week 1
Exercise 1
Hellman's suggested parameters for his Time-Memory Trade Off attack are m=t=r=N^(1/3) which requires mr=N^(2/3) memory and has success probability about
0.8, where N=|K| is the size of the space.
Q1. What are the attack parameters corresponding to a memory complexity of N^(1/2)
with the same success probability?
(Use mt^2=N and Hellman's success probability estimation).
Q2. What is the online complexity (including false alarms) for these
parameters?
Note errrata: Hellman's Online complexity in the lecture video has a typo. It should be
O(rt + rmt^3/|K|).
Week 2
Exercise 2
In the padding oracle attack when attacking the last byte, it's possible the
oracle returns true because the last r bytes of the modified M'_l have value r with r>1 and
M'_l[b] = M_l[b] XOR x = r. In this case the attack might wrongly conclude M_l[b] =
x XOR 1.
Q. How and when does the attack fail?
Exercise 3
The O(2^(n/2)) distinguishing attack from section 5.9 with M=B||...||B also applies to Counter Mode.
Q1. Which structural properties of the ciphertext can you deduce when there
exists at least one collision among ciphertext blocks?
Q2. How can you use this to slightly simplify the attack algorithm compared to CBC?
Week 3
Exercise 4
Find a 4x4 SBox (i.e. a permutation on strings of 4bits) with no non-trivial linear relations with an absolute bias larger than 4/16.
(Trivial linear relations are those that involve no input bits and/or no output
bits, i.e., the first row and first column of the SBOX LAT.)
(Hint: Use sagemath online at
sagemath or
cocalc.)
Exercise 5
Find another linear relation over the first 3 rounds of the toy cipher with
absolute bias greater or equal to 1/32.
(Different from the one in Chapter 6.)
Week 4
Exercise 6
Find a complete sequence of linear relations over the first 3 rounds of the toy cipher with
absolute bias greater or equal to 1/32 that enables the recovery of K5.
No relation must cover more than 8 *unknown* bits of K5.
Relations with overlapping bits of K5 are recommended to achieve greater
confidence: the correct value of bits of K5 is not always the one with the
highest absolute bias, however it almost always is when taking the total
absolute bias over 2 relations together.
E.g., the linear relation from Chapter 8 can be modified by removing
plaintext bit P_8, this modified relation has bias +1/32 and covers the same
K5-bits. Whereas either individual relation succeeds often enough for random keys
(the correct value has the highest bias), using them together succeeds
almost always (the correct value has the highest total bias).
Exercise 7
Find another differential over the first 3 rounds of the toy cipher.
Exercise 8
Find a complete sequence of differentials over the first 3 rounds of the toy cipher
that enables the recovery of K5.
No relation must cover more than 8 bits of K5
(i.e., 2 round-4 SBoxes).
Week 5
Exercise 9
Q1. Construct another boomerang where each 2-round differential relation has only 2 active S-Boxes.
Q2. Compute an approximation of its success probability by considering all possible variations for the 2nd round and 3rd round S-Box.
I.e., for the active 2nd round S-Box S_2i consider all possible output differences \Delta Y_2i.
Similarly, for the active 3rd round S-Box S_3j consider all possible input differences \Delta X_3j.
Week 6
Exercise 10
The improved collision attack has various added costs.
Namely, to actually find the collision and various losses.
Consider an expected trail length of t=2^l with l=n/2-20.
Express these added costs in terms of the expression 2^(n/2).
Challenges
These challenges are optional and not part of the examined course material.
They often require a bit of programming, but are fun to work with cryptanalysis in practice.
Solutions can emailed to the email address above.
Please use subject line "[challenge N]".
Questions can be placed online, via email or in the designated Q & A session.
Challenge 1
Consider a file with the content "plaintext" (without line-breaks etc.).
One can encrypt this file with a specified 128-bit key in hexidecimal notation
using AES and PKCS#7-padding (choose paddinglength n>=1 to achieve multiple of block length, pad n bytes of value n) as follows:
>echo -n "plaintext" > plaintext.txt
>openssl enc -aes-128-ecb -K 000000000000000000000000000000ff -in plaintext.txt -out ciphertext8.txt -base64
Content ciphertext8.txt: p8SkEqgGnsC7AY20RLcZPw==
Recover the 32-bit key for the following AES-128 block encryption:
>echo -n "plaintext" > plaintext.txt
>openssl enc -aes-128-ecb -K 000000000000000000000000xxxxxxxx -in plaintext.txt -out ciphertext32.txt -base64
Content ciphertext32.txt: fgpIqNL2jNOcnbGyeBH3wQ==
Solved by: NV
Hint
Challenge 2
Recover the 40-bit key for the following AES-128 block encryption:
>echo -n "plaintext" > plaintext.txt
>openssl enc -aes-128-ecb -K 0000000000000000000000xxxxxxxxxx -in plaintext.txt -out ciphertext40.txt -base64
Content ciphertext40.txt: yw+1N8hXE1gq/abtGamcsw==
Solved by: NV
Challenge 3
Fully recover the final round key K5 that was used to generate the
plaintext-ciphertext pair list in ptctlist.txt/ptctlist.sobj in this page's Files
section.
Solved by: NV
Challenge 4
Recover round key K4 that was used to generate the
plaintext-ciphertext pair list in ptctlist.txt/ptctlist.sobj.
Solved by: NV
Challenge 5
Recover round keys K3, K2 and K1 that were used to generate the
plaintext-ciphertext pair list in ptctlist.txt/ptctlist.sobj.
Solved by: NV
Challenge 6
Find a Boomerang Quartet for the toy cipher under key
(K1, K2, K3, K4, K5) = (9870, 15365, 46360, 58052, 43095).
Don't use the exact same plaintext and ciphertext difference from section 9.9.
Solved by:
Challenge 7
LMHASH is the hash algorithm used to store passwords in Windows versions up
to XP. It has the "feature" that it is very weak even for long passwords.
Recover the passwords with the following LMHASHes:
Password1: d4ade12d94ef4c090c8f5a7b7a6f9449:034daff94d806cee29f310f5d6a77ba4
Password2: 382ee38891e7056e17306d272a9441bb:a107e5624083963db8dbe61f3d288588
Solved by:
Challenge 8
Recover the password with the following LMHASH:
Password: 78fc94b134540254c914c58291c22f87:e7ac4712dd6def58c4095a388b8eecda
Solved by:
Challenge 9
Recover the numeric password of length 12 with the following
MD5-hash:
Password: 956a82ed7ec234e17d97c13469bee91f
Solved by:
Challenge 10
Recover the lowercase alpha password of length 9 with the following
MD5-hash:
Password: 1eea849311fa5b43f479fcc94bf206c0
Solved by:
Challenge 11
Find a pair of messages that form a collision under the
SHA-1-hash
that has been truncated from 40 hexadecimals / 160 bits to the first 12 hexadecimals / 48 bits.
E.g., the following collision on the first 8 hexadecimals:
>echo -n 10029 > 10029.txt
>echo -n 47427 > 42427.txt
>sha1sum 10029.txt 42437.txt
38d0a030376c582fe818b544c1be3490c277f7cf 10029.txt
38d0a030efb24c67112fc76ea91c6fdfe33df53a 47427.txt
Solved by:
Hint
Challenge 12
Find a pair of messages that form a collision under the
SHA-1-hash
that has been truncated from 40 hexadecimals / 160 bits to the first 16 hexadecimals /
64 bits.
E.g., not this one:
>echo -n '0ecc9a9dc8d18149' | sha1sum | cut -c-16
606cf52221c792f3
>echo -n 'f1a79915b25fbdf3' | sha1sum | cut -c-16
606cf52221c792f3
Solved by: