I am Travis W. I am a Computer Network Homework Expert at computernetworkassignmenthelp.com. I hold a Master's in Computer Science from, Leeds University. I have been helping students with their homework for the past 17 years. I solve homework related to the Computer Network. Visit computernetworkassignmenthelp.com or email support@computernetworkassignmenthelp.com. You can also call on +1 678 648 4277 for any assistance with the Computer Network Homework.

1. For any Homework related queries, Call us at : - +1 678 648 4277
You can mail us at : - support@computernetworkassignmenthelp.com or
reach us at : - www.computernetworkassignmenthelp.com/

2. Problem 1. IND-CCA
Alice and Bob have taken 6.857, and would like to send confidential messages to
each other in a way that meets the IND-CCA definition given there.
Bob suggests the following method.
Let EncCBC(K, M) denote the process of padding M with a 1 bit and then as many 0
bits as needed to make the message length a multiple of 128 bits, and then using AES
in CBC mode to encrypt the result, using a randomly-chosen 128-bit IV. The result is:
EncCBC(K, M) = IV, C1,C2,...,Cn .
Let Rev(S) denote the reverse of a sequence S. That is, S is parsed as a sequence of
128-bit blocks (the length of S must be a multiple of 128 bits), and these blocks are
re-arranged into reverse order.
Bob then proposes that he and Alice secretly agree on two AES keys K1 and K2, and
then define the encryption of a message M as
computernetworkassignmenthelp.com

3. E(K1,K2; M) = EncCBC(K2, Rev(EncCBC(K1,M ))) .
The intent here is that the reversal avoids the problem noted in class, that “ciphertext
prefixes decode as prefixes of the message.”
Show that this method does not meet the IND-CCA security definition given in class.
That is, show how the adversary can “win” the security game against this method.
Problem 2. Kalns
Ben Bitdiddle has designed a new cryptosystem called Kalns, but we suspect it might
not be as strong as we would like to be. Therefore we ask your help to break it.
In this problem we will be working with a finite field GF16. The elements of our field
are all 4-bit strings. The f ield addition is computed as xor: GF16(x) + GF16(y) =
GF16(x ⊕ y). We provide the two tables describing addition and multiplication laws
on the course web page.
If you are curious, these tables are obtained by interpreting 4-bit field elements as
degree ≤ 4 polynomials 4 over GF2 and performing addition and multiplication
modulo the irreducible polynomial x + x + 1.
computernetworkassignmenthelp.com

4. However, for the purposes of this problem you do not need to understand how our GF16
is constructed; the solutions we know assume black-box access to GF16. We have
provided a GF16 implementation for you.
Kalns is a 64-bit block cipher. The secret key consists of three parts:
•an invertible 16-by-16 matrix A over GF16;
•a 16-element vector b over GF16; and
•a permutation (bijection) S that maps GF16 one-to-one and onto GF16.
To encrypt a 64-bit block B we first break it up in sixteen 4-bit chunks and interpret each
of them as a GF16 element. So block B corresponds to length 16 vector x = (x0,...,x15)
over GF16.
The encryptions consists of the following: y = S(Ax + b), where the permutation S is
individually applied to each of 16 elements of v = Ax + b. The 16-element vector y is
later re-interpreted as 64-bit integer to obtain the encrypted block B'.
(a) Ben suspects that his cryptosystem is very secure. After all it has around 16162
possible keys. However, we suspect that there are many equivalent keys. These keys have
different values for (A, b, S), but produce the same ciphertext for any given plaintext. Is
our suspicion wellfounded?
computernetworkassignmenthelp.com

5. (b) Describe a chosen-ciphertext attack on Kalns that recovers the unknown key (A,
b, S) or an equivalent key.
(c) To demonstrate that your attack works, write an implementation that can break a
randomly generated key. We have set up a web server that implements Kalns
algorithm at Prove that your implementation works by getting your team’s name on
the list of successful teams. The server is powered by scripts.mit.edu shared hosting
infrastructure. Please don’t issue denial of service attacks or try to attack their servers.
computernetworkassignmenthelp.com

6. Solution 1. IND-CCA
Theorem: Bob’s method E is not IND-CCA secure
Proof: The adversary picks m0 = 0x, m1 = 1x for large x ≥ 3·128 in phase I. Then y =
EK1,K2 (md). Let z = y with the first bit flipped. Since z = y, the adversary is allowed
to ask for DK1,K2 (z) in phase II. This correctly gives the first 128-bit block of md,
revealing d (zeroes if d = 0 or ones if d = 1). Therefore, the adversary wins the game
Why does this work? Consider the steps of E, where md is divided into n 128-bit
blocks (n ≥ 3)
1. Start with md = m1,...,mn. (1) (1)
2. EncCBCK1 (m (1) 1,...,mn) = IV , C1 ,...,Cn .
3. Rev(IV (1) (1) (1) (1) (1) , C1 ,...,Cn ) = Cn ,...,C ,IV (1) 1 . EncCBC (1) (1) (1)
(2) (2) (2) (2)
4. K2 (Cn ,...,C1 ,IV ) = IV , C1 ,...,Cn , Cn+1. (2) (2) (2)
5. End with IV (2), C1 ,...,Cn , Cn+1 = y
computernetworkassignmenthelp.com

7. Now, consider the steps of D, which reverses E.
1. Start with y = IV (2), C1 ,...,Cn , Cn+1. DecCBC
2. K2 (IV , C1 ,...,Cn , Cn+1) = Cn ,...,C ,IV (1) 1 .
3. Rev(Cn ,...,C1 ,IV (1)) = IV (1), C1 ,...,Cn .
4. DecCBCK1 (IV (1), C1 ,...,Cn ) = m1,...,mn.
5. End with m1,...,mn = md.
Finally, consider the steps of D when the input is z instead of y (the first bit is
flipped). Denote any changed blocks in red. As we observed in Lecture 9, the bit
flip only affects the decryption of the current block and the next block, since each
decrypted block only depends on Ci and Ci 1 (and only the first block depends on
IV ).
1. Start with z = IV (2), C1
(2) ,...,Cn
(2) , Cn+1
(2).
2. DecCBC K2 (IV (2) , C1 (2),...,Cn (2) , Cn+1 (2) ) = Cn ,...,C1 ,IV (1).
3. Rev(Cn ,...,C ,IV (1) 1 ) = IV (1), C1 ,..., Cn .
4. DecCBC (1) K1 (IV , C1 ,..., Cn ) = m1,..., mn.
5. End with m1,..., mn.
Therefore, the first block m1 of md is correct, revealing d
computernetworkassignmenthelp.com

8. Problem 2. Kalns
a) Our suspicion is well founded, which we can see from a very simple analysis.
Consider an orig inal key combination (A, b, S), where we call Ax + b = v. Let us
then consider a possible key combination (n*A, n*b, S’), where n is some number
in GF16. The output of this new key pair will be S/(nAx + nb) = S/(nv). Thanks to
the properties of GF16, we know that n ∗ m, where n is a GF16 value held constant
and m is a GF16 value varied from 0 to 16, return all different values ranging from
0 to 16. (Of course, the case where m = 0 maps to 0, but the other cases map more
interestingly.) Thus, multiplying v by n can be considered as just an extra
permutation, P(v). (This is true if n is nonzero, but we are simply choosing this to
be the case.) This means we can just adjust S’ to look like S after canceling out this
original mapping, i.e S/(x) = S(P −1(x)), and we have an equivalent key pair. Thus
we have generated several equivalent key pairs. It turns out that, since we have
such freedom with S, we can actually generate even more equivalent key pairs by
basically generating new v’s and adjusting our S accordingly, as shown above.
Thus, we know that there will be many equivalent key pairs.
b) Let’s consider a series of possible inputs and outputs that we could try
encrypting/decrypting, and consider the information gleaned from each. u
computernetworkassignmenthelp.com

9. If we encrypt the vector x0 = [0, 0, 0, 0, ..., 0], we will get y0 = S(b). Additionally, if
we encrypt the vectors xi , which are the 16 unit vectors (i.e. the vectors with all 0’s
except a 1 at position i), we i will get back y = S(Ai + b), where Ai is the i’th column of
A.
We now have information about A and b, but they are embedded in S, the permutation.
In order to get information about this, we can decrypt the values yi = [i, 0, 0, 0, ...0].
Reversing our algorithm, v we can see that x = A−1(S−1(y) − b), which means we will
get back x = (A−1)0(S−1(y ) − b). If i i v i v we take the first element of these x , we
will get (A−1)0,0(S−1(i)−b0), and if we take the differences v 0 v i v di = x − x , we
will get (A−1)0,0(S−1(0) − S−1(i)). Here, we take advantage of the properties of GF16
to define a new, valid permutation, S/ such that S/−1 = (A−1)0,0S−1, such that the
values di are actually differences between the inverse permutation values for 0 and i.
Defining S’(0) = 0, we thus have a valid permutation that we have fully defined, and
which we can construct an equivalent key pair using. (Recall from part a that we can do
this because our permutation is correct up to a multiplicative constant!).
Using this new S’, we can decrypt S(b) such that S/−1(S(b)) = b/, and similarly extract
each column of A as a column of a new matrix A’. This new key combination (A/,b/,S/)
is equivalent to the orig inal combination (A, b, S). Since we now have an equivalent
key set to the original combination, we can freely encrypt and decrypt data as we please,
completely compromising the Kalns encryption scheme.
computernetworkassignmenthelp.com

10. c) We have successfully implemented this algorithm. See MCRBFinalFast on
http://6857.scripts. mit.edu/kalns/. Our code follows the exact process detailed in part
b. The MITx submission site only allows one uploaded file, so we did not submit our
actual code file, but the code we used is reproduced below using the verbatim tag.
from kalns import *
tokenString = remote_query(’keygen?team=MCRBFinalFast’)
theToken = tokenString[80:112]
rk = RemoteKalns(theToken)
b = int64_to_GF16_vec(rk.enc(0))
r_unit = []
for i in range(16):
r_unit.append(int64_to_GF16_vec(rk.enc(2**(4*(15-i)))))
A = []
for row in range(16):
computernetworkassignmenthelp.com

11. A.append([])
for col in range(16):
A[row].append(r_unit[col][row])
iTimesAInv = []
for i in range(16):
#print int64_to_GF16_vec(i*(2**(4)))
iTimesAInv.append(int64_to_GF16_vec(rk.dec(i*(2**(4)))))
topVals = []
for i in range(16):
topVals.append(iTimesAInv[i][0])
#These for loops are actually irrelevant, they were
#originally to ensure that we didn’t need to try cyclic permutations of
#the S that we derived. It turns out we don’t, so we just set the ranges
#to 1. for i in range(1):
for ii in range(1):
AA = []
BB = []
s = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
computernetworkassignmenthelp.com

12. sinv = []
for iii in range(16):
x = topVals[iii]
x0 = topVals[0]
s[int((GF16(i) - ((x0-x)/GF16(ii+1))).val)] = int(iii)
for ij in range(16):
sinv.append(s.index(ij))
for k in range(16):
AA.append([])
for l in range(16):
AA[k].append(GF16(sinv[A[k][l].val]))
BB.append(GF16(sinv[b[k].val]))
for kk in range(16):
for ll in range(16):
newVar = AA[kk][ll] - BB[kk]
AA[kk][ll] = newVar
print "s = " + str(i) + ", Ainv[0][0] = " + str(ii)
print rk.answer(AA, BB, s)
computernetworkassignmenthelp.com