密码学第五版部分课后答案 (1)

合集下载
  1. 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
  2. 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
  3. 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。

2.4 已知下面的密文由单表代换算法产生:
请将它破译。

提示:
1、正如你所知,英文中最常见的字母是e。

因此,密文第一个或第二个(或许第三个)出现频率最高的字符应该代表e。

此外,e经常成对出现(如meet,fleet,speed,seen,been,agree,等等)。

找出代表e的字符,并首先将它译出来。

2、英文中最常见的单词是“the”。

利用这个事实猜出什么字母t和h。

3、根据已经得到的结果破译其他部分。

解:由题意分析:“8”出现次数最多,对应明文为“e”,“;48”代表的明文为“the”,“)”、“*”、“5”出现频率都比较高,分别对应“s”、“n”、“a”,由此破译出密文对应的明文为: A good glass in the Bishop’s hostel in the Devil’s seat-twenty-one degrees and thirteen minutes-northeast and by north-main branch seventh limb east side-shoot from the left eye of the death’s head-a bee line from the tree through the shot fifty feet out.
2.20 在多罗的怪诞小说中,有一个故事是这样的:地主彼得遇到了下图所示的消息,他找到了密钥,是一段整数:
11234
a.破译这段消息。

提示:最大的整数是什么?
b.如果只知道算法而不知道密钥,这种加密方案的安全性怎么样?
c.如果只知道密钥而不知道算法,这种加密方案的安全性又怎么样?
解:
A.根据提示,将密文排成每行8字母的矩阵,密钥代表矩阵中每行应取的字母,依次取相应字母即可得明文。

明文为:
He sitteth between the cherubims.The isles may be glad thereof.As the rivers in the South.
B.安全性很好。

若密文的字母数为8n,则共有8n种可能的密钥,不易攻破。

C.安全性较差。

将字母总数与密钥总数相除,得每组8个字母,即可破译。

3.8 这个问题给出了用一轮DES加密的具体数字的例子。

假设明文和密钥K有相同的位模式,即:
用十六进制表示:0 1 2 3 4 5 6 7 8 9 A B C D E F
用二进制表示: 0000 0001 0010 0011 0100 0101 0110 0111
1000 1001 1010 1011 1100 1101 1110 1111
a.推导第一轮的子密钥
解:
经过表3.4(b)PC-1置换,得:
C0:00000
D0:01
经过表3.4(d)左移,得:
C1’:10
D1’:01
经过表3.4(c)置换选择,得:
K1:0000 1011 0000 0010 0110 0111 1001 1011 0100 1001 1010 0101
用十进制表示为:0 B 0 2 6 7 9 B 4 9 A 5
b.推导L0,R0
解:经过表3.2(a)置换,得
L0:1100 1100 0000 0000 1100 1100 1111 1111
R0:1111 0000 1010 1010 1111 0000 1010 1010
c.扩展R0求E(R0)
解:根据表3.2(C)扩充置换,得:
E(R0) = 01110 100001 010101 010101 011110 100001 010101 010101
d.计算A=E(R0)⊕K1
解:根据a、c可得
A = 011100 010001 011100 110010 111000 010101 110011 110000
e.把(d)的48位结果分成6位(数据)的集合并求对应S盒代换的值
解:根据表3.3S盒代换得
(1110) = (14) =0 (10进制) =0000 (2进制)
(1000) = (8) = 12 (10进制)=1100 (2进制)
(1110) = (14) =2 (10进制)=0010(2进制)
(1001) = (9) = 1(10进制) =0001(2进制)
(1100) = (12) =6 (10进制) =0110 (2进制)
(1010) = (10) =13 (10进制)=1101(2进制)
(1001) = (9) = 5 (10进制) =0101 (2进制)
(1000) = (8) =0 (10进制) =0000 (2进制)
f.利用(e)的结论来求32位的结果B
解:B = 0000 1100 0010 0001 0110 1101 0101 0000
g.利用置换求P(B)
解:根据表3.2(d),得
P(B) = 1001 0010 0001 1100 0010 0000 1001 1100
h.计算R1=P(B)⊕L0
解:R1 = 0101 1110 0001 1100 1110 1100 0110 0011
i.写出密文
解:L1=R0,连接L1、R1可得密文为:MEYE82
3.12 16个密钥(K1、K2……K16)在DSE解密过程中是逆序使用的。

因此,图3.5的右半
部分不再正确。

请模仿表3.4(d)为解密过程设计一个合适的密钥移位扩展方案。

解:
选代轮数 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
移位次数0 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1 3.10 (a)
解:
T16(L15 || R15) = L16 || R16
T17(L16 || R16) = R16 || L16
IP [IP–1 (R 16 || L16)] = R16 || L16
TD1(R16 || L16) = L16 || R16 f(L16, K16)=R15 || L15 f(R15, K16)
f(R15, K16)= R15 ||L15
(b)
解:
T16(L15 || R15) = L16 || R16
IP [IP–1 (L16 || R16)] = L16 || R16
TD1(R16 || L16) = R16 || L16 f(R16, K16)= L15 f(R15, K16)|| R15 f(R16, K16)≠L15 || R15
3.15
For 1 ≤ i ≤ 128, take c i∈{0, 1}128to be the string containing a 1 in position
i and then zeros elsewhere. Obtain the decryption of these 128 ciphertexts.
Let m1, m2, . . . , m128 be the corresponding plaintexts. Now, given any
ciphertext c which does not consist of all zeros, there is a unique nonempty
subset of the c i’s which we can XOR together to obtain c. Let I(c) ⊆ {1,
2, . . . , 128} denote this subset. Observe
Thus, we obtain the plaintext of c by computing
iÎI c()m
i. Let 0 be the all-zero
string. Note that 0 = 0 ⊕ 0. From this we obtain E(0) = E(0 ⊕ 0) = E(0) ⊕ E(0) = 0. Thus, the plaintext of c = 0 is m = 0. Hence we can decrypt every
c ∈ {0, 1}128.
4.15a. gcd(24140, 16762) = gcd(16762, 7378) = gcd(7378, 2006) = gcd(2006, 1360)
= gcd(1360, 646) = gcd (646, 68) = gcd(68, 34) = gcd(34, 0) = 34
b. gcd(4655, 12075) = gcd(12075, 4655) = gcd(4655, 2765) = gcd(2765, 1890)
= gcd(1890, 875) = gcd (875, 140) = gcd(140, 35) = gcd(35, 0) =35
4.17 a. Euclid: gcd(2152, 764) = gcd(764, 624) = gcd(624, 140) = gcd(140, 64)
= gcd(64, 12) = gcd(12, 4) = gcd(4, 0) = 4
Stein: A1 = 2152, B1 = 764, C1 = 1;
A2 = 1076, B2 = 382, C2 = 2;
A3 = 538, B3 = 191, C3 = 4;
A4 = 269, B4 = 191, C4 = 4;
A5 = 78, B5 = 191, C5 = 4;
A6 = 39, B6= 191,C6 = 4;
A7 = 152, B7 = 39, C7 = 4;
A8 = 76, B8 = 39, C8 = 4;
A9 = 38, B9 = 39, C9 = 4;
A10 = 19, B10 = 39, C10 = 4;
A11 = 20, B11 = 19, C11 = 4;
A12 = 10, B12 = 19, C12 = 4;
A13 = 5, B13 = 19, C13 = 4;
A14 = 14, B14 = 5, C14 = 4;
A15 = 7, B15 = 5, C15 = 4;
A16 = 2, B16 = 5, C16 = 4;
A17 = 1, B17 = 5, C17 = 4;
A18 = 4, B18 = 1, C18 = 4;
A19 = 2, B19 = 1, C19 = 4;
A20 = 1, B20 = 1, C20 = 4;
故gcd(2152, 764) = 1 ´ 4 = 4
b. 在每一步算法中,Euclid算法所进行的除法运算比较复杂,而Stein算法只
需完成除以2、相等、求差或取最小值的简单运算,减小了运算复杂度。

4.23 a. 9x2 + 7x + 7
b. 5x3 + 7x2 + 2x + 6
4.25 a. 1
b. 1
c. x + 1
d. x + 78
7.2 因为Xn+1 = (aXn ) mod 24,易知若a为偶数,则经过n轮之后Xn+1必恒等于0,故
a必为奇数。

且a<16,分别取a=3,5,7,9,11,13,15,得:
a=3,则Xn=1,3,9,11,1,3,……或Xn=5,15,13,7,5,15,……
a=5,则Xn=1,5,9,13,1,5,……或Xn=3,15,11,7,3,15,……
a=7,则Xn=1,7,1……舍去
a=9,则Xn=1,9,1……舍去
a=11,则Xn=1,11,9,3,1,11,……或Xn=5,7,13,15,5,7,……
a=13,则Xn=1,13,9,5,1,13,……或Xn=3,7,11,15,3,7,……
故:
(a)最大周期为4
(b)a=3或5或11或13
(c)与a必为奇数同理,种子必须为奇数。

7.4 两个发生器产生的伪随机数分别为:
1, 6, 10, 8, 9, 2, 12, 7, 3, 5, 4, 11, 1, . . .
1, 7, 10, 5, 9, 11, 12, 6, 3, 8, 4, 2, 1, . . .
从中可以看出,第二个发生器产生的伪随机数存在一部分Xn+1 = 2Xn的现象,所以第一个伪随机数发生器的随机性更好一些。

8.5
a == 9794 mod 73
==12
而0<a<72, 73为素数,故取a=12
8.8
因为φ(35)=24,x^φ(35)==1mod35
所以x^85mod35=(((x^24mod35)^3)*(x^12mod35)*(xmod35))mod35
=(((x^12mod35)*(xmod35))mod35
又因为x^24mod35=1
所以x^12mod35=1或-1
所以x^85mod35=xmod35或-xmod35=6
故x=6或x=29,代入验证得
x=6
9.3
因为 n=35 所以(35) =24
因为 ed==1 mod (35) ; e=5 所以 d=5
所以 M= C d mod n=5
9.5
不安全
因为在已知n的情况下易知(n),根据密钥产生原则:(1)选择e使其与(n)互素且小于(n) (2)确定d使得de==1(mod(n))且d<(n) 可以得出e、d的可能值,再通过进一步观察即可求出e和d,特别是在n很小的情况下,只需通过简单的计算就可以破解密钥。

8.21
a 1 2 3 4 5 6 7 8 9 10 11 12 13 14
2 4 8 16
3 1 12 2
4 19 9 18 7 14 28 Log2,29(
a)
a 15 16 17 18 19 20 21 22 23 24 25 26 27 28
27 25 21 13 26 23 17 5 10 20 11 22 15 6 Log2,29(
a)
B.因为17x2 ==10(mod29)
所以[dlog2,29(17)+2dlog2,29(x)](mod28)==23
[21+2log2,29(x)](mod28)==23
所以21+2log2,29(x)=23
或 21+2log2,29(x)=51
所以x=2或x=27
C.因为x2-4x-16==(0mod29)
所以(x-2)2==(20mod29)
易知x!=1
所以[2dlog2,29(x-2)](mod28)==24
所以dlog2,29(x-2)=12
或 dlog2,29(x-2)=26
所以x=9或x=21
D.因为x7==17(mod29)
所以[7log2,29(x)]==21
所以7log2,29(x)=21或49或77或105或133或161或189
所以x=8或10或12或15或18或26或27
9.14 This algorithm is discussed in the CESG report mentioned in Chapter 6 [ELLI99],
and is known as Cocks algorithm.
a. Cocks makes use of the Chinese remainder theorem (see Section 8.4 and
Problem 8.10), which says it is possible to reconstruct integers in a
certain range from their residues modulo a set of pairwise relatively prime
moduli. In particular for relatively prime P and Q, any integer M in the
range 0 ≤ M < N can be the pair of numbers M mod P and M mod Q, and that
it is possible to recover M given M mod P and M mod Q. The security lies
in the difficulty of finding the prime factors of N.
b. In RSA, a user forms a pair of integers, d and e, such that
de 1 mod ((P – 1)(Q – 1)), and then publishes e and N as the public
key. Cocks is a special case in which e = N.
c. The RSA algorithm has the merit that it is symmetrical; the same process
is used both for encryption and decryption, which simplifies the software
needed. Also, e can be chosen arbitrarily so that a particularly simple
version can be used for encryption with the public key. In this way, the
complex process would be needed only for the recipient.
d. The private key k is the pair P and Q; the public key x is N; the plaintext
p is M; and the ciphertext z is C. M1 is formed by multiplying the two
parts of k, P and Q, together. M2 consists of raising M to the power N
(mod N). M3 is the process described in the problem statement.
10.6a. (49, 57)
b. C2 = 29
11.1a. Yes. The XOR function is simply a vertical parity check. If there is an
odd number of errors, then there must be at least one column that contains
an odd number of errors, and the parity bit for that column will detect
the error. Note that the RXOR function also catches all errors caused by
an odd number of error bits. Each RXOR bit is a function of a unique "spiral"
of bits in the block of data. If there is an odd number of errors, then
there must be at least one spiral that contains an odd number of errors,
and the parity bit for that spiral will detect the error.
b. No. The checksum will fail to detect an even number of errors when both
the XOR and RXOR functions fail. In order for both to fail, the pattern
of error bits must be at intersection points between parity spirals and
parity columns such that there is an even number of error bits in each
parity column and an even number of error bits in each spiral.
c. It is too simple to be used as a secure hash function; finding multiple
messages with the same hash function would be too easy.
11.2a. For clarity, we use overbars for complementation. We have:
Therefore, the hash function of message M with initial value I is the same as the hash function for message N with initial value for any given
I, where
b. The same line of reasoning applies with the M s and H s reversed in the
derivation.
11.11a. 1. Interchange x1 and x4; x2 and x3; y1 and y4; and y2 and y3.
2. Compute Z = X + Y mod 232.
3. Interchange z1 and z4; and z2 and z3.
b. You must use the same sort of interchange.。

相关文档
最新文档