密码学第五版部分课后答案 - 图文

2.4 已知下面的密文由单表代换算法产生：

请将它破译。提示：

1、正如你所知，英文中最常见的字母是e。因此，密文第一个或第二个（或许第三个）出现频率最高的字符应该代表e。此外，e经常成对出现（如meet,fleet,speed,seen,been,agree,等等）。找出代表e的字符，并首先将它译出来。 2、英文中最常见的单词是“the”。利用这个事实猜出什么字母t和h。 3、根据已经得到的结果破译其他部分。

解：由题意分析：“8”出现次数最多，对应明文为“e”，“；48”代表的明文为“the”，“）”、“*”、“5”出现频率都比较高，分别对应“s”、“n”、“a”，由此破译出密文对应的明文为： A good glass in the Bishop’s hostel in the Devil’s seat-twenty-one degrees and thirteen minutes-northeast and by north-main branch seventh limb east side-shoot from the left eye of the death’s head-a bee line from the tree through the shot fifty feet out.

2.20 在多罗的怪诞小说中，有一个故事是这样的：地主彼得遇到了下图所示的消息，他找到了密钥，是一段整数：

7876565434321123434565678788787656543432112343456567878878765654343211234 a.破译这段消息。提示：最大的整数是什么？

b.如果只知道算法而不知道密钥，这种加密方案的安全性怎么样？ c.如果只知道密钥而不知道算法，这种加密方案的安全性又怎么样？ 解：

A.根据提示，将密文排成每行8字母的矩阵，密钥代表矩阵中每行应取的字母，依次取相应字母即可得明文。明文为：

He sitteth between the cherubims.The isles may be glad thereof.As the rivers in the South.

B.安全性很好。若密文的字母数为8n，则共有8种可能的密钥，不易攻破。

C.安全性较差。将字母总数与密钥总数相除，得每组8个字母，即可破译。

3.8 这个问题给出了用一轮DES加密的具体数字的例子。假设明文和密钥K有相同的位模式，即：

用十六进制表示：0 1 2 3 4 5 6 7 8 9 A B C D E F

用二进制表示： 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111 a.推导第一轮的子密钥 解：

经过表3.4（b）PC-1置换，得： C0：1111000011001100101010100000 D0：1010101011001100111100000000 经过表3.4（d）左移，得：

C1’：1010000110011001010101000001 D1’：0101010110011001111000000001 经过表3.4（c）置换选择，得：

K1：0000 1011 0000 0010 0110 0111 1001 1011 0100 1001 1010 0101 用十进制表示为：0 B 0 2 6 7 9 B 4 9 A 5

b.推导L0，R0

解：经过表3.2（a）置换，得

L0 ：1100 1100 0000 0000 1100 1100 1111 1111 R0 ：1111 0000 1010 1010 1111 0000 1010 1010 c.扩展R0求E（R0）

解：根据表3.2（C）扩充置换，得：

E(R0) = 01110 100001 010101 010101 011110 100001 010101 010101 d.计算A=E(R0)?K1 解：根据a、c可得

A = 011100 010001 011100 110010 111000 010101 110011 110000

n

e.把（d）的48位结果分成6位（数据）的集合并求对应S盒代换的值 解：根据表3.3S盒代换得

(1110) = (1000) = (1110) = (1001) = (1100) = (1010) = (1001) = (1000) =

(14) =0 (10进制) =0000 (2进制) (8) =

12 (10进制)=1100 (2进制)

(14) =2 (10进制)=0010(2进制) (9) = 1(10进制) =0001(2进制) (12) =6 (10进制) =0110 (2进制) (10) =13 (10进制)=1101(2进制) (9) =

5 (10进制) =0101 (2进制)

(8) =0 (10进制) =0000 (2进制)

f.利用（e）的结论来求32位的结果B

解：B = 0000 1100 0010 0001 0110 1101 0101 0000

g.利用置换求P(B) 解：根据表3.2（d），得

P(B) = 1001 0010 0001 1100 0010 0000 1001 1100

h.计算R1=P(B)?L0

解：R1 = 0101 1110 0001 1100 1110 1100 0110 0011

i.写出密文

解：L1=R0，连接L1、R1可得密文为：MEYE82

3.12 16个密钥（K1、K2??K16）在DSE解密过程中是逆序使用的。因此，图3.5的右半部分不再正确。请模仿表3.4（d）为解密过程设计一个合适的密钥移位扩展方案。 解： 选代轮数 移位次数

3.10 （a） 解：

T16(L15 || R15) = L16 || R16

1 0 2 1 3 2 4 2 5 2 6 2 7 2 8 2 9 1 10 11 12 13 14 15 16 2 2 2 2 2 2 1

T17(L16 || R16) = R16 || L16 IP [IP–1 (R16 || L16)] = R16 || L16

TD1(R16 || L16) = L16 || R16 ? f(L16, K16)=R15 || L15 ? f(R15, K16)

? f(R15, K16)= R15 ||L15

（b）

解：

T16(L15 || R15) = L16 || R16

–1

IP [IP (L16 || R16)] = L16 || R16

|| L16) = R16 || L16 ? f(R16, K16)= L15 ? f(R15, K16)|| R15? TD1(R16

f(R16, K16)≠L15 || R15

3.15

For 1 ≤ i ≤ 128, take ci ? {0, 1}128 to be the string containing a 1 in position i and then zeros elsewhere. Obtain the decryption of these 128 ciphertexts. Let m1, m2, . . . , m128 be the corresponding plaintexts. Now, given any ciphertext c which does not consist of all zeros, there is a unique nonempty subset of the ci’s which we can XOR together to obtain c. Let I(c) ? {1, 2, . . . , 128} denote this subset. Observe

? ? c=?ci=?E(mi)=E? ?mi÷ i?I(c)i?I(c)i?I(c)è ?

Thus, we obtain the plaintext of c by computing

i?I(c)?mi. Let 0 be the all-zero

string. Note that 0 = 0 ? 0. From this we obtain E(0) = E(0 ? 0) = E(0)

? E(0) = 0. Thus, the plaintext of c = 0 is m = 0. Hence we can decrypt every c ? {0, 1}128. 4.15

a. gcd(24140, 16762) = gcd(16762, 7378) = gcd(7378, 2006) = gcd(2006, 1360) = gcd(1360, 646) = gcd (646, 68) = gcd(68, 34) = gcd(34, 0) = 34

b. gcd(4655, 12075) = gcd(12075, 4655) = gcd(4655, 2765) = gcd(2765, 1890) = gcd(1890, 875) = gcd (875, 140) = gcd(140, 35) = gcd(35, 0) =35

4.17 a. Euclid: gcd(2152, 764) = gcd(764, 624) = gcd(624, 140) = gcd(140, 64)

= gcd(64, 12) = gcd(12, 4) = gcd(4, 0) = 4

Stein: A1 = 2152, B1 = 764, C1 = 1;

A2 = 1076, B2 = 382, C2 = 2; A3 = 538, B3 = 191, C3 = 4; A4 = 269, B4 = 191, C4 = 4; A5 = 78, B5 = 191, C5 = 4; A6 = 39, B6= 191,C6 = 4; A7 = 152, B7 = 39, C7 = 4; A8 = 76, B8 = 39, C8 = 4; A9 = 38, B9 = 39, C9 = 4; A10 = 19, B10 = 39, C10 = 4; A11 = 20, B11 = 19, C11 = 4; A12 = 10, B12 = 19, C12 = 4; A13 = 5, B13 = 19, C13 = 4; A14 = 14, B14 = 5, C14 = 4; A15 = 7, B15 = 5, C15 = 4; A16 = 2, B16 = 5, C16 = 4; A17 = 1, B17 = 5, C17 = 4; A18 = 4, B18 = 1, C18 = 4;

A19 = 2, B19 = 1, C19 = 4; A20 = 1, B20 = 1, C20 = 4;

故gcd(2152, 764) = 1 ′ 4 = 4

b. 在每一步算法中，Euclid算法所进行的除法运算比较复杂，而Stein算法只

需完成除以2、相等、求差或取最小值的简单运算，减小了运算复杂度。 4.23

a. 9x2 + 7x + 7 b. 5x3 + 7x2 + 2x + 6

4.25 a. 1 b. 1 c. x + 1 d. x + 78

7.2 因为Xn+1 = (aXn ) mod 24，易知若a为偶数，则经过n轮之后Xn+1必恒等于0，故a必为奇数。且a<16,分别取a=3,5,7,9,11,13,15，得：

a=3,则Xn=1,3,9,11,1,3，?? 或Xn=5,15,13,7,5,15，?? a=5,则Xn=1,5,9,13,1,5，?? 或Xn=3,15,11,7,3,15，?? a=7,则Xn=1,7,1?? 舍去 a=9,则Xn=1,9,1?? 舍去

a=11,则Xn=1,11,9,3,1,11，?? 或Xn=5,7,13,15,5,7，?? a=13,则Xn=1,13,9,5,1,13，?? 或Xn=3,7,11,15,3,7，?? 故：

（a） 最大周期为4 （b） a=3或5或11或13

（c） 与a必为奇数同理，种子必须为奇数。

7.4 两个发生器产生的伪随机数分别为：

1, 6, 10, 8, 9, 2, 12, 7, 3, 5, 4, 11, 1, . . . 1, 7, 10, 5, 9, 11, 12, 6, 3, 8, 4, 2, 1, . . .

从中可以看出，第二个发生器产生的伪随机数存在一部分Xn+1 = 2Xn的现象，所以第一个伪随机数发生器的随机性更好一些。 8.5

a == 9794 mod 73 ==12

而0

因为φ(35)=24，x^φ(35)==1mod35

所以x^85mod35=(((x^24mod35)^3)*(x^12mod35)*(xmod35))mod35

=(((x^12mod35)*(xmod35))mod35

又因为x^24mod35=1 所以x^12mod35=1或-1

所以x^85mod35=xmod35或-xmod35=6 故x=6或x=29,代入验证得 x=6 9.3

因为 n=35 所以?(35) =24

因为 ed==1 mod ?(35) ; e=5 所以 d=5 所以 M= Cd mod n=5

9.5

不安全

因为在已知n的情况下易知?(n)，根据密钥产生原则：（1）选择e使其与?(n)互素

且小于?(n) （2）确定d使得de==1(mod?(n))且d

离散对数表如下图所示： a Log2,29(a) a Log2,29(a) B.因为17x2 ==10（mod29）

所以[dlog2,29(17)+2dlog2,29(x)](mod28)==23 [21+2log2,29(x)](mod28)==23 所以21+2log2,29(x)=23 或 21+2log2,29(x)=51 所以x=2或x=27

C.因为x2-4x-16==(0mod29)

所以(x-2)2==(20mod29)

易知x!=1

所以[2dlog2,29(x-2)](mod28)==24 所以dlog2,29(x-2)=12

1 2 2 4 3 8 4 5 6 1 7 8 9 10 11 12 18 7 13 14 14 28 27 28 15 6 16 3 12 24 19 9 15 16 17 18 19 20 21 22 23 24 25 26 27 25 21 13 26 23 17 5 10 20 11 22 或 dlog2,29(x-2)=26 所以x=9或x=21

D.因为x7==17（mod29）

所以[7log2,29(x)]==21

所以7log2,29(x)=21或49或77或105或133或161或189 所以x=8或10或12或15或18或26或27

9.14 This algorithm is discussed in the CESG report mentioned in Chapter 6 [ELLI99],

and is known as Cocks algorithm. a. Cocks makes use of the Chinese remainder theorem (see Section 8.4 and

Problem 8.10), which says it is possible to reconstruct integers in a certain range from their residues modulo a set of pairwise relatively prime moduli. In particular for relatively prime P and Q, any integer M in the range 0 ≤ M < N can be the pair of numbers M mod P and M mod Q, and that it is possible to recover M given M mod P and M mod Q. The security lies in the difficulty of finding the prime factors of N.

b. In RSA, a user forms a pair of integers, d and e, such that de ? 1 mod ((P – 1)(Q – 1)), and then publishes e and N as the public

key. Cocks is a special case in which e = N.

c. The RSA algorithm has the merit that it is symmetrical; the same process

is used both for encryption and decryption, which simplifies the software needed. Also, e can be chosen arbitrarily so that a particularly simple version can be used for encryption with the public key. In this way, the complex process would be needed only for the recipient.

d. The private key k is the pair P and Q; the public key x is N; the plaintext

p is M; and the ciphertext z is C. M1 is formed by multiplying the two parts of k, P and Q, together. M2 consists of raising M to the power N (mod N). M3 is the process described in the problem statement.

10.6 a. (49, 57) 11.1

b. C2 = 29

a. Yes. The XOR function is simply a vertical parity check. If there is

an odd number of errors, then there must be at least one column that contains an odd number of errors, and the parity bit for that column will detect the error. Note that the RXOR function also catches all errors caused by an odd number of error bits. Each RXOR bit is a function of a unique \of bits in the block of data. If there is an odd number of errors, then there must be at least one spiral that contains an odd number of errors, and the parity bit for that spiral will detect the error.

b. No. The checksum will fail to detect an even number of errors when both the XOR and RXOR functions fail. In order for both to fail, the pattern

11.2

of error bits must be at intersection points between parity spirals and parity columns such that there is an even number of error bits in each parity column and an even number of error bits in each spiral.

c. It is too simple to be used as a secure hash function; finding multiple messages with the same hash function would be too easy. a. For clarity, we use overbars for complementation. We have:

Therefore, the hash function of message M with initial value I is the

same as the hash function for message N with initial value for any given I, where

11.11

a. 1. Interchange x1 and x4; x2 and x3; y1 and y4; and y2 and y3.

2. Compute Z = X + Y mod 232.

3. Interchange z1 and z4; and z2 and z3.

b. The same line of reasoning applies with the Ms and Hs reversed in the derivation.

b. You must use the same sort of interchange.

本文来源：https://www.bwwdw.com/article/h9sr.html