1. Short Answers Part A. (a) 11101001 (b) Only two plaintexts are possible because only two permutations are possible (in spite of the huge key) due to the 1-bit block size. Part B. An attack where you are given some number of plaintext-ciphertext pairs and you have to find the key (typically) they were produced with. Part C. 2^{34} expected keys Part D. (a) M = DES-1(K1, C xor K2) (b) No. Use some P1, C1 pair under DES++ and compute DES(K1, P1) xor C1 for all keys K1. Then use another pair P2, C2 under DES++ and compute DES(K1, P2) xor C2 for all keys K1. Now find a match between the first list and the second; this is likely to be K2 (you can verify this with a few more DES++ invocations if you have several candidates). Part E. This hash function is useless: it's trivially invertible and easy to find collisions for. For example, if you have any n-bit string t and you want a preimage, just compute E^{-1}(0, t) xor 1^n and you have one! The same technique works to find collisions. Part F. 1 - 9*8*7/1000 = .496 Part G. Not a group. No identity, no closure, etc. Part H. (n-1)*(n-1) = n^2 + 2n + 1 = 1 mod n Part I. d divides n+1 so n+1 = kd for some k. Since d is relative prime to n+1, so is k, so k is in the group. But d^{-1} = k since kd = n+1 = 1 mod n. Part J. As defined in class, a pseudoprime is a COMPOSITE. 5 is prime and is therefore not a pseudoprime. Part K. 151 = 128+16+4+2+1. It takes 7 squarings to reach 128 (because it's 2^7) and then 4 more multiplications to compute M^{151}. So the answer is 11 multiplications. 2. RSA (a) n=21, phi(n) = 12 (b) d=5 (so ed = 25 = 1 mod 12) (c) 4^5 mod 21 = 2^{10} mod 21 = 1024 mod 21 = 16 (d) 2^5 mod 21 = 11 3. Information Theoretic Crypto (a) There are 24 permutations of 1,2,3,4. Number them (however you like) from 0 to 23 and call this K. To encrypt any message M in the range 0 to 23, compute M+K mod 24. (b) This is information theoretically secure for the same reason that one-time pad is secure. For any given ciphertext, the probability that M is any particular value is uniform over the choices of K. Therefore seeing the ciphertext leaks absolutely NO information about the plaintext.