-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathEXAM_ASSIGMENT.txt
executable file
·152 lines (117 loc) · 4.88 KB
/
EXAM_ASSIGMENT.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%% EXAM ASSIGNMENT %%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%
By the end of the last lab session each student must deliver
1 - an individual report regarding the lab project and
2 - an individual program choosen between 3 assignments
(Assignment A, B and C).
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
GRADE:
------
I) Having delivered the final project by the end of 2013-12-20 lab session
10 points
II) Having delivered the report by the end of 2013-12-20 lab session
5 points
III) Having delivered only one assigment between Assignment A, B, C
by the end of 2013-12-20 lab session
9/12/15 points
are NECESSARY conditions to take the oral exam
starting from the following grades:
- 24 if delivering Assignment A
- 27 if delivering Assignment B
- 30 if delivering Assignment C
Partial delivering will imply the student
to take the oral exam from a lower grade.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
DEADLINE:
---------
- the end of the last lab session (2013-12-20)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
INDIVIDUAL DELIVERY:
--------------------
1 - INDIVIDUAL REPORT
2 - INDIVIDUAL ASSIGNMENT
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
REPORT INSTRUCTIONS:
--------------------
Write a REPORT about the lab project
covering the following points:
- Describe your integer pseudorandom generator.
- Describe your prime pseudorandom generator.
- Describe how you generated the RSA keys, specifying:
- which controls you made on the primes;
- an estimate of the time and of how many integers
you have to check to generate 512 bit primes
with your own prime pseudorandom generator.
- Describe how you generated the symmetric keys.
- In the protocol proposed in the course there may be dome flawes:
please elaborate.
Report length must be:
at most 2 pages (+2 of cited code/pseudocode/pictures if needed)
Clarity in the exposition will also be evaluated.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
ASSIGNMENT INSTRUCTION:
-----------------------
ASSIGNMENT A:
Implement E0. (you can omit the key loading)
Use online test vectors.
ASSIGNMENT B:
Implement KECCAK (i.e. SHA3).
Use online test vectors.
ASSIGNMENT C:
Implement either:
- SQUARE ATTACK to a simplyfied version of Bunny24
- SIMPLE CORRELATION ATTACK to a toy stream cipher
The two attacks will be tested during the last lab session
NOTE:
* see later for details
** if people from the same group decide to deliver Assignment C
half of them must implement the Square Attack and
the other half must implement the Correlation Attack
*** the two attacks should take a couple of minutes to break each cipher
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Square Attack
-------------
* HYPOTHESIS:
1) You attack Bunny24Reduced(),
a reduced version of BUNNY24:
- with only 3 rounds
- round keys are all equal to the session key K
2) You are in the scenario of a CHOSEN-PLAINTEXT attack
(i.e., you have access to an oracle O which can tell you
the corresponding ciphertext of any plaintext that you want)
* GOAL:
1) Find the SESSION KEY K
2) Given the session key
Decrypt a given ciphertext obtained using Bunny24Reduced in CBC mode
with null IV
* HINT:
at the end of round 2 Bunny24 preserves the "sum to zero" property,
while at the end of round 3 this property does not hold anymore.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Correlation Attack
------------------
* HYPOTHESIS:
1) You attack a toy stream composed by 5 registers
defined by the following polynomials:
p[1] = x^2 + x + 1 ;
p[2] = x^3 + x + 1 ;
p[3] = x^4 + x + 1 ;
p[4] = x^7 + x + 1 ;
p[5] = x^8 + x^7 + x^2 + x + 1 ;
and combined with the following non-linear function
f = x1*x2*x3*x4*x5 + x4*x5 + x5;
2) The initial state of each register can NOT be the zero vector
3) You are in the scenario of a KNOWN-PLAINTEXT attack
(i.e. you know the stream generated by the stream cipher
until a certain length n)
* GOAL:
1) Find the INITIAL STATE S generating a stream of size 256 bits
2) Given the initial state S
Decrypt a given ciphertext obtained from the NEW bits (from bit 257 on)
of the stream generated by the same initial state
* HINT:
if one register has high correlation p with the combining function
then the right initial state of that register generates a sequence of length l
which equals the output stream of the stream cipher about p*l times,
while wrong initial states generate sequences with different behaviour.