Exercise 1

Explain why this form of internal feedback is much worse in practice in a non-ideal world, when
the ciphertext may be corrupted by error.

Solution
In this form of internal feedback, the decryption will be such:

( )
1 i i i
p Decrypt c p

=
And since each decryption depends on the previous decryption (
1 i
p

), it will cause all the next
decryptions to fail. (And every single error will force all future blocks to be resent)


However, in the other internal feedback structure, wed get the decryption method:

( )
1 i i i
p c Decrypt c

=
And therefore, each corrupted ciphertext block will prevent the decryption of at most two
blocks. (The corresponding plaintext block
i
p , and the one after it,
1 i
p
+
)




Exercise 2
When using multiple encryption, which internal feedback structure will guarantee no apparent
output structure, and no complete loss of data when 1 ciphertext block is corrupted?

Solution
An identical feedback structure to the one we saw in question 1:


Observing the multiple encryption as a black box encryption module, will show that this indeed
does not cause a complete loss of decryption when a single ciphertext block is corrupted. (As we
saw in question 1)

In addition, it does not generate any (apparent) output structure since each ciphertext block is
XORed with the new plaintext.



Exercise 3
Calculate the probability, in the slidex attack, of:

1 1 2 2 1 2
k x x c k w w e = + + = + +

(Where e is the common value
( ) ( )
1 1 2 2
w F x c w F x c + + = + + )

Solution
For every
1 2
x x = , and
{ }
1 1 2 1
, c k x x k e + + , the four terms:

{ }
1 1 2 1 1 2
, , , x k x k x c x c + + + +
Are different in pairs.

Therefore, choosing the permutation F uniformly at random, each of them is mapped u.a.r as
well. As a result, the probability that:
( ) ( ) { }
( ) ( ) ( ) ( ) { }
( ) ( ) ( ) ( ) { }
1 1 2 2 1 1 2 1
2 1 1 1 2 2 1 2 1 1 2 1
1 1 2 1 1 2 1 1 2 1
Pr | ,
Pr | ,
1
Pr | ,
2
F
F
n
F
w F x c w F x c c k x x k
k F x k F x c k F x k F x c c k x x k
F x k F x k F x c F x c c k x x k
( + + = + + e + + =

( = + + + + = + + + + e + + =

( = + + + + + = + e + + s


(Since whatever the value of
( ) ( ) ( )
1 1 2 1 1
F x k F x k F x c + + + + + may be, the probability that
( )
2
F x c + will be the same is at most
1
2
n
.)

Therefore:
{ } ( ) ( )
{ } ( ) ( )
1 2
1 2
1 1 2 1 1 1 2 2
1 1 2 1 1 1 2 2
1
Pr , |
2
1
Pr , | 1
2
x x n
F
x x n
F
c k x x k w F x c w F x c
c k x x k w F x c w F x c
=
=
| |
( e + + + + = + + s
|

\ .
| |
( e + + + + = + + >
|

\ .

And since both
{ }
1 1 2 1
, c k x x k e + + are equally likely when c is chosen u.a.r:

( ) ( )
( ) ( )
1 1 1 2 2 1
,
1 2 1 1 1 2 2 1
,
1 1
Pr |
2 2
1 1
Pr |
2 2
n
c F
n
c F
c k w F x c w F x c
c x x k w F x c w F x c
+
+
( = + + = + + >

( = + + + + = + + >



Now, if
1 2 1
c x x k = + + , then:

| |
( )
( )
1 2
2 1 2 1 2 1
2 1 2 1 2 1
2 1 1 1 1 2 1
Pr |
Pr |
Pr | 1
F
x x
F
F
k w w e c x x k
k w F x c c x x k
k w F x k c x x k
=
| |
= + + = + + =
|
|
( = = + + = + + =

|
|
| ( = = + + = + + =

\ .


However, if
1
c k = , then:
( )
( ) ( )
( ) ( ) ( )
( ) ( ) ( ) ( )
1 2
1
2 1 2 1 1 1 2 2 1
2 1 2 1 1 1 1 2 2 1
1 1 2 1 1 1 1 2 2 1
Pr |
Pr |
Pr | 0
F
x x
F
x
F
k w w e w F x k w F x k
k w F x k w F x k w F x k
F x k F x k w F x k w F x k
=

=
| |
( = + + + + = + + =

|
|
( = = + + + + = + + =

|
|
| ( = + = + + + = + + =

\ .

Since
( ) ( )
1 2 1 1 2 1 1 1 2 1
x x x k x k F x k F x k = + = + + = + .

Therefore, the require probability is:

( ) ( ) ( ) ( )
( ) ( )
2 1 2 1 2 1 1 1 2 2
1 2 1 1 1 2 2 1
,
Pr |
1 1
Pr |
2 2
F
n
c F
k w w e c x x k w F x c w F x c
c x x k w F x c w F x c
+
( = + + . = + + + + = + + =

( = = + + + + = + + >