Show page

Differences

This shows you the differences between two versions of the page.

--- sasc:res:tema1 [2016/03/08 11:04]
marios.choudary
+++ sasc:res:tema1 [2017/03/19 23:46] (current)
dan.dragan
@@ Line 1: / Line 1: @@
 ===== Homework 1 =====
-Asa cum am discutat la curs si laborator, va dau posibilitatea sa compensati laboratoarele pierdute prin efectuarea unei teme de casa. Punctajul de la laborator este de 20 pct din 100, iar al proiectului este de 30 din 100, deci in total laboratorul si proiectul fac 50% din nota finala. Prin aceasta tema va dau pana in 10 puncte din acesti 50. Adica, puteti sa luati un maxim de 50 de puncte intre laborator, proiect si tema. Restul de 50 se iau doar din examen si prezenta la curs.
+==== Exercise 1 ====
-Tema este formata din urmatoarele exercitii. Incercati sa le faceti pe toate, chiar daca nu reusiti sa ajungeti la o solutie buna. Ma intereseaza sa vad cum ati gandit si ce ati reusit sa implementati.
+Let's analyse some substitution-permutation networks (SPN).
-Voi discuta rezolvarile voastre personal, cu fiecare, in cadrul laboratorului de dupa Pasti.
-Va rog foarte mult sa nu copiati, si nici macar sa va inspirati (la nivel de idee) unul de la altul. Este o tema individuala, pentru cei care vor sa compenseze punctajul. Daca gasesc inspiratii intre voi, veti avea punctaj 0 atat la tema cat si la laborator.
-==== Exercise 1 (7p) ====
+=== SPN 1 (3p) ===
-Let us see what goes wrong when a stream cipher key is used more than once. Below are eleven hexencoded ciphertexts that are the result of encrypting eleven plaintexts with a stream cipher, all with the same stream cipher key. Your goal is to decrypt the last ciphertext, and submit the secret message within it as solution.
+We have the SPN from this figure:
+{{:sasc:laboratoare:spn_1r_reduced_2s.png|}}
-Hint: XOR the ciphertexts together, and consider what happens when a space is XORed with a character in [a-zA-Z].
+where S denotes the AES S-box (we'll discuss this in some detail during the next lecture), and 'Permutation' is a simple permutation block that simply shifts the input 4 bits to the right as in a queue. Both this S-box and the permutation are invertible and known by the attacker (you). Each input (x1, x2) is 8-bit (1 byte), as well as the keys k1, k2, and the outputs y1, y2.
-ciphertext #1:
+  - How can you find the key ?
+  - Given the message/ciphertext pair ('Hi' - as characters, 0xba52 - as hex number), find the key bytes k1 and k2. Print them in ascii.
-c4eeaa8b5f8aaf9174145bf43e1784b8fa00dc71d885a804e5ee9fa40b16349c146fb778cdf2d3aff021dfff5b403b5 10d0d0455468aeb98622b137dae857553ccd8883a7bc37520e06e515d22c954eba5025b8cc57ee59418ce7dc6bc4 1556bdb36bbca3e8774301fbcaa3b83b220809560987815f65286764703de0f3d524400a19b159610b11ef3e
+<note tip>
+For these exercises you can use the following helper/starter code:
+</note>
-ciphertext #2:
+<code>
+import sys
+import random
+import string
+import operator
-c02ecbbfbafa3ed18510abd11fa724fcda2018a1a8342cf064bbde548b12b07df44ba7191d9606ef4081ffde5ad46 a5069d9f7f543bedb9c861bf29c7e205132eda9382b0bc2c5c4b45f919cf3a9f1cb74151f6d551f4480c82b2cb24cc5b0 28aa76eb7b4ab24171ab3cdadb8356f
+# Rijndael S-box
+sbox =  [0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67,
+x2b, 0xfe, 0xd7, 0xab, 0x76, 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59,
+x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, 0xb7,
+xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1,
+x71, 0xd8, 0x31, 0x15, 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05,
+x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, 0x09, 0x83,
+x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29,
+xe3, 0x2f, 0x84, 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b,
+x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, 0xd0, 0xef, 0xaa,
+xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c,
+x9f, 0xa8, 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc,
+xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, 0xcd, 0x0c, 0x13, 0xec,
+x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19,
+x73, 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee,
+xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb, 0xe0, 0x32, 0x3a, 0x0a, 0x49,
+x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
+xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4,
+xea, 0x65, 0x7a, 0xae, 0x08, 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6,
+xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, 0x70,
+x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9,
+x86, 0xc1, 0x1d, 0x9e, 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e,
+x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, 0x8c, 0xa1,
+x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0,
+x54, 0xbb, 0x16]
-ciphertext #3:
-ba9a7b2bba9b8005d43a304b5714cc0bb0c8a34884dd91304b8ad40b62b07df44ba6e9d8a2368e51d04e0e7 b207b70b9b8261112bacb6c866a232dfe257527dc29398f5f3251a0d47e503c66e935de81230b59b7afb5f41afa8d661cb
+# Rijndael Inverted S-box
+rsbox = [0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3,
+x9e, 0x81, 0xf3, 0xd7, 0xfb , 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f,
+xff, 0x87, 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb , 0x54,
+x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b,
+x42, 0xfa, 0xc3, 0x4e , 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24,
+xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25 , 0x72, 0xf8,
+xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d,
+x65, 0xb6, 0x92 , 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda,
+x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84 , 0x90, 0xd8, 0xab,
+x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3,
+x45, 0x06 , 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1,
+xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b , 0x3a, 0x91, 0x11, 0x41,
+x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6,
+x73 , 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9,
+x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e , 0x47, 0xf1, 0x1a, 0x71, 0x1d,
+x29, 0xc5, 0x89, 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b ,
+xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0,
+xfe, 0x78, 0xcd, 0x5a, 0xf4 , 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07,
+xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f , 0x60,
+x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f,
+x93, 0xc9, 0x9c, 0xef , 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5,
+xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61 , 0x17, 0x2b,
+x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55,
+x21, 0x0c, 0x7d]
-ciphertext #4:
+def strxor(a, b): # xor two strings (trims the longer input)
+  return "".join([chr(ord(x) ^ ord(y)) for (x, y) in zip(a, b)])
-ba9aab2a8a4fd06414fb517b5605cc0aa0dc91a8908c2064ba8ad5ea06a029056f47a8ad3306ef5021eafe1ac 01a81197847a5c68a1b78769a37bc8f4575432c198ccb4ef63590256e305cd3a9544ee4160ead45aef520489e7da7d 835402bca670bda8eb775200b8dabbba246b130f040d8ec6447e2c767f3d30ed81ea2e4c1404e1315a1010e7229be6636aaa
+def hexxor(a, b): # xor two hex strings (trims the longer input)
+  ha = a.decode('hex')
+  hb = b.decode('hex')
+  return "".join([chr(ord(x) ^ ord(y)).encode('hex') for (x, y) in zip(ha, hb)])
-ciphertext #5:
+def bitxor(a, b): # xor two bit strings (trims the longer input)
+  return "".join([str(int(x)^int(y)) for (x, y) in zip(a, b)])
+def str2bin(ss):
+  """
+    Transform a string (e.g. 'Hello') into a string of bits
+  """
+  bs = ''
+  for c in ss:
+    bs = bs + bin(ord(c))[2:].zfill(8)
+  return bs
-f561ba9adb4b6ebec54424ba317b564418fac0dd35f8c08d31a1fe9e24fe56808c213f17c81d9607cee021dafe1e001 b21ade877a5e68bea88d61b93ac5ee0d562e8e9582f5ef375f0a4ae20ed86e935de81230b59b73fb4302cd95d770c6 5b40aaa065f2a5e33a5a0bb5dcaba43722130f042f8ec85b7c2070
+def hex2bin(hs):
+  """
+    Transform a hex string (e.g. 'a2') into a string of bits (e.g.10100010)
+  """
+  bs = ''
+  for c in hs:
+    bs = bs + bin(int(c,16))[2:].zfill(4)
+  return bs
-ciphertext #6:
+def bin2hex(bs):
+  """
+    Transform a bit string into a hex string
+  """
+  return hex(int(bs,2))[2:]
-bfbacfbb9befd54415da243e1695ecabd58c519cd4bd2061bbde24eb76a19d84aba34d8de287be84d07e7e9a 30ee714979c7e1123a8bd9822a33ecaf512472e8e8f8db3f9635c1949e640c621854eba0d79eccf52ff111284b4cc61 d11902aebc66f2b2e436434eacc0aba938220b084800c2ca4e693522643573b2c4ce35050b0cf774201f0fe52ac9f26 d71b6cf61a711cc229f77ace7aa88a2f19983122b11be87a59c355d25f8e4
+def byte2bin(bval):
+  """
+    Transform a byte (8-bit) value into a bitstring
+  """
+  return bin(bval)[2:].zfill(8)
-ciphertext #7:
-bfbacfbb9befd54415da243e1695ecabd58c519cd4bd90f1fa6ea5ba47b01c909ba7696cf606ef40c04afe1ac0a a8148dd066592ded9f8774b529c7ea125d298e8883f5e9305f4b44f915cb2bd05af51373fd9b4af511039fa2d96f8341 4aaaf261bda2e97b170fb5cce2a53e675c154c0d9681596934777e2275b381ce2e40582afe67650b13e72287ff2270 abcf73bb028932836fbdecfecee0a3b894473c1bbeb6b4913a536ce4f9b13f1efff71ea313c8661dd9a4ce
+def permute4(s):
+  """
+    Perform a permutatation by shifting all bits 4 positions right.
+    The input is assumed to be a 16-bit bitstring
+  """
+  ps = ''
+  ps = ps + s[12:16]
+  ps = ps + s[0:12]
+  return ps
-ciphertext #8:
+def permute_inv4(s):
+  """
+    Perform the inverse of permute4
+    The input is assumed to be a 16-bit bitstring
+  """
+  ps = ''
+  ps = ps + s[4:16]
+  ps = ps + s[0:4]
+  return ps
-c4eeaa8b5f8bffd11155ea506b56041c6a00c8a08854dd21a4bbde54ce56801d943ba708b8a3574f40c00fff9e00f a1439fd0654327a3bfc860b92f89ee04132ecb9298f5fd2d5e4b45e40ecc3b9d59e9417df7c95bba410e9aa2ca24c54 74da2f276baa3ac325918b2daada43d6712150441c2e04f6565517f317da9d3
+def spn_1r_reduced_2s(k, x):
+  """
+    Performs an encryption with a substitution-permutation network.
+    Key k = {k1, k2}, total of 16 bits (2 x 8 bits)
+    Input x = {x1, x2}, total of 16 bits (2 x 8 bits)
+    Both k and x are assumed to be bitstrings.
+    Return:
+    a 16-bit bitstring containing the encryption y = {y1, y2}
+  """
-ciphertext #9:
+  # Split input and key
+  x1 = x[0:8]
+  x2 = x[8:16]
+  k1 = k[0:8]
+  k2 = k[8:16]
-f9bbb2aeadec111841a81abc300ecaa01bd8069d5cc91005e9fe4aad6e04d513e96d99de2569bc5e50eeeca 709b50a8a987f4264edb6896fb537d0a716132ddc938fb0f836480e06ed0fcd6e9759f40462f9cf57f4564186a2c1778f 1543efa270bda5e933421cbe88a4a52222190f471e9bd15f652b653b7071aec59a2705081ffe72651d08f822c9ed6d7
+  #Apply S-box
-e48b63ab15d0208573a7eef027
+  u1 = bitxor(x1, k1)
+  v1 = sbox[int(u1,2)]
+  v1 = byte2bin(v1)
-ciphertext #10:
+  u2 = bitxor(x2, k2)
+  v2 = sbox[int(u2,2)]
+  v2 = byte2bin(v2)
-d06ece998b7a2fb1d464fed2ced7641ddaa3cc31c9941cf110abbf409ed39598005b3399ccfafb61d0315fca0a314 be138a9f32503bedac8067f03adbf3575c3b8edc9ba7f537530541ab0f9f3cd04ff50d66f1d559ba520e89a2cb2a83
+  #Apply permutation
+  pin = v1 + v2
+  pout = permute4(pin)
-target ciphertext (decrypt this one):
+  return pout
+def spn_1r_full_2s(k, x):
+  """
+    Performs an encryption with a substitution-permutation network.
+    Key k = {k1, k2, k3, k4}, total of 32 bits (4 x 8 bits)
+    Input x = {x1, x2}, total of 16 bits (2 x 8 bits)
+    Both k and x are assumed to be bitstrings.
-ba9babebbbefd001547a810e67149caee11d945cd7fc81a05e9f85aac650e9052ba6a8cd8257bf14d13e6f0a8 03b54fde9e77472dbff89d71b57bddef121336cb85ccb8f3315f4b52e301d16e9f52f904
+    Return:
+    a 16-bit bitstring containing the encryption y = {y1, y2}
+  """
-<note tip>The ciphertexts were generated with a script like this</note>
+  # Split input and key
-<code>
+  x1 = x[0:8]
-import sys
+  x2 = x[8:16]
+  k1 = k[0:8]
+  k2 = k[8:16]
+  k3 = k[16:24]
+  k4 = k[24:32]
-MSGS=(--- 11secretmessages ---)
+  #Apply S-box
+  u1 = bitxor(x1, k1)
+  v1 = sbox[int(u1,2)]
+  v1 = byte2bin(v1)
-def strxor(a, b): # xor two strings (trims the longer input)
+  u2 = bitxor(x2, k2)
-  return "".join([chr(ord(x) ^ ord(y)) for (x, y) in zip(a, b)])
+  v2 = sbox[int(u2,2)]
+  v2 = byte2bin(v2)
-def random(size=16):
-  return open("/dev/urandom").read(size)
-def encrypt(key, msg):
+  #Apply permutation
-  c = strxor(key, msg)
+  pin = v1 + v2
-  print
+  pout = permute4(pin)
-  print c.encode('hex')
-  return c
+  #Apply final XOR
+  po1 = pout[0:8]
+  po2 = pout[8:16]
+  y1 = bitxor(po1, k3)
+  y2 = bitxor(po2, k4)
+  return y1+y2
 def main():
-  key = random(1024)
-  ciphertexts = [encrypt(key, msg) for msg in MSGS]
-</code>
-<note tip>You may use the following Python code as a starting point</note>
+  #Run reduced 2-byte SPN
-<code>
+  msg = 'Hi'
-import sys
+  key = '??' # Find this
-import random
+  xs = str2bin(msg)
-import string
+  ks = str2bin(key)
-import operator
+  ys = spn_1r_reduced_2s(ks, xs)
+  print 'Two y halves of reduced SPN: ' + ys[0:8] + ' (hex: ' + bin2hex(ys[0:8]) + '), ' + ys[8:16] + ' (hex: ' + bin2hex(ys[8:16]) + ')'
-MSGS = (
+  #Run full 2-byte SPN
-    '315c4eeaa8b5f8aaf9174145bf43e1784b8fa00dc71d885a804e5ee9fa40b16349c146fb778cdf2d3aff021dfff5b403b510d0d0455468aeb98622b137dae857553ccd8883a7bc37520e06e515d22c954eba5025b8cc57ee59418ce7dc6bc41556bdb36bbca3e8774301fbcaa3b83b220809560987815f65286764703de0f3d524400a19b159610b11ef3e',
+  msg = 'Om'
-    '234c02ecbbfbafa3ed18510abd11fa724fcda2018a1a8342cf064bbde548b12b07df44ba7191d9606ef4081ffde5ad46a5069d9f7f543bedb9c861bf29c7e205132eda9382b0bc2c5c4b45f919cf3a9f1cb74151f6d551f4480c82b2cb24cc5b028aa76eb7b4ab24171ab3cdadb8356f',
+  key = '????' # Find this
-    '32510ba9a7b2bba9b8005d43a304b5714cc0bb0c8a34884dd91304b8ad40b62b07df44ba6e9d8a2368e51d04e0e7b207b70b9b8261112bacb6c866a232dfe257527dc29398f5f3251a0d47e503c66e935de81230b59b7afb5f41afa8d661cb',
+  xs = str2bin(msg)
-    '32510ba9aab2a8a4fd06414fb517b5605cc0aa0dc91a8908c2064ba8ad5ea06a029056f47a8ad3306ef5021eafe1ac01a81197847a5c68a1b78769a37bc8f4575432c198ccb4ef63590256e305cd3a9544ee4160ead45aef520489e7da7d835402bca670bda8eb775200b8dabbba246b130f040d8ec6447e2c767f3d30ed81ea2e4c1404e1315a1010e7229be6636aaa',
+  ks = str2bin(key)
-    '3f561ba9adb4b6ebec54424ba317b564418fac0dd35f8c08d31a1fe9e24fe56808c213f17c81d9607cee021dafe1e001b21ade877a5e68bea88d61b93ac5ee0d562e8e9582f5ef375f0a4ae20ed86e935de81230b59b73fb4302cd95d770c65b40aaa065f2a5e33a5a0bb5dcaba43722130f042f8ec85b7c2070',
+  ys = spn_1r_full_2s(ks, xs)
-    '32510bfbacfbb9befd54415da243e1695ecabd58c519cd4bd2061bbde24eb76a19d84aba34d8de287be84d07e7e9a30ee714979c7e1123a8bd9822a33ecaf512472e8e8f8db3f9635c1949e640c621854eba0d79eccf52ff111284b4cc61d11902aebc66f2b2e436434eacc0aba938220b084800c2ca4e693522643573b2c4ce35050b0cf774201f0fe52ac9f26d71b6cf61a711cc229f77ace7aa88a2f19983122b11be87a59c355d25f8e4',
+  print 'Two y halves of full SPN (2 bytes): ' + ys[0:8] + ' (hex: ' + bin2hex(ys[0:8]) + '), ' + ys[8:16] + ' (hex: ' + bin2hex(ys[8:16]) + ')'
-    '32510bfbacfbb9befd54415da243e1695ecabd58c519cd4bd90f1fa6ea5ba47b01c909ba7696cf606ef40c04afe1ac0aa8148dd066592ded9f8774b529c7ea125d298e8883f5e9305f4b44f915cb2bd05af51373fd9b4af511039fa2d96f83414aaaf261bda2e97b170fb5cce2a53e675c154c0d9681596934777e2275b381ce2e40582afe67650b13e72287ff2270abcf73bb028932836fbdecfecee0a3b894473c1bbeb6b4913a536ce4f9b13f1efff71ea313c8661dd9a4ce',
-    '315c4eeaa8b5f8bffd11155ea506b56041c6a00c8a08854dd21a4bbde54ce56801d943ba708b8a3574f40c00fff9e00fa1439fd0654327a3bfc860b92f89ee04132ecb9298f5fd2d5e4b45e40ecc3b9d59e9417df7c95bba410e9aa2ca24c5474da2f276baa3ac325918b2daada43d6712150441c2e04f6565517f317da9d3',
-    '271946f9bbb2aeadec111841a81abc300ecaa01bd8069d5cc91005e9fe4aad6e04d513e96d99de2569bc5e50eeeca709b50a8a987f4264edb6896fb537d0a716132ddc938fb0f836480e06ed0fcd6e9759f40462f9cf57f4564186a2c1778f1543efa270bda5e933421cbe88a4a52222190f471e9bd15f652b653b7071aec59a2705081ffe72651d08f822c9ed6d76e48b63ab15d0208573a7eef027',
-    '466d06ece998b7a2fb1d464fed2ced7641ddaa3cc31c9941cf110abbf409ed39598005b3399ccfafb61d0315fca0a314be138a9f32503bedac8067f03adbf3575c3b8edc9ba7f537530541ab0f9f3cd04ff50d66f1d559ba520e89a2cb2a83'
-    )
-TARGET = '32510ba9babebbbefd001547a810e67149caee11d945cd7fc81a05e9f85aac650e9052ba6a8cd8257bf14d13e6f0a803b54fde9e77472dbff89d71b57bddef121336cb85ccb8f3315f4b52e301d16e9f52f904'
-def strxor(a, b): # xor two strings (trims the longer input)
-  return "".join([chr(ord(x) ^ ord(y)) for (x, y) in zip(a, b)])
-def hexxor(a, b): # xor two hex strings (trims the longer input)
-  ha = a.decode('hex')
-  hb = b.decode('hex')
-  return "".join([chr(ord(x) ^ ord(y)).encode('hex') for (x, y) in zip(ha, hb)])
-def main():
-  # do something here
-  print 'Hello'
 if __name__ == "__main__":
   main()
 </code>
-==== Exercise 2 (3p) ====
+==== SPN 2 (3p) ====
-Terminati exercitiul 3 (cel cu LCG RNG) din laboratorul 2:
+Now we have a better SPN, where the output of the permutation is XOR-ed with another 2 key bytes, as in the following figure:
-http://ocw.cs.pub.ro/courses/sasc/laboratoare/02
+{{:sasc:laboratoare:spn_1r_full_2s.png|}}
+  - Try to find the key in this case, when given the following message/ciphertext pairs: ('Om', 0x0073), ('El', 0xd00e), ('an', 0x855b). Print the key in ascii.
+<note tip>You may try some kind of brute-force search</note>
+==== Exercise 2 (4 pct) ====
+As another example, which uses a larger block size, let's use an SPN that takes a 4-byte input x=[x1 || x2 || x3 || x4] and an 8-byte key k=[k1 || k2 || k3 || k4 || k5 || k6 || k7 || k8] as in this figure:
+{{:sasc:laboratoare:spn_1r_full_4s.png|}}
+Note that in this 4-byte SPN, the permutation operates on all 4 bytes, similarly to the 2-byte SPN: that is, it shifts all bits four bits to the right.
+  - Try to find the key in this case as well, using the following message/ciphertext pairs: ('Omul', 0xddcf7bc7), ('stea', 0x96d58b43), ('luna', 0x9c3f2303) . Again print the key in ascii.
+<note tip> This time you cannot (easily) do a brute-force on all the bytes of the last XOR. However, you may try to attack one S-box at a time. Think of the bits that affect one such S-box and find an efficient attack.
+</note>
+==== Bonus (4 pct) ====
+{{:sasc:res:css_enc.png|}}
+Decode the following ciphertext:
+<code>
+'74b906c56684a5d250fe68bc09eb7ee55ffd2271b8d07d6c35a41d96e4ada74de4852d031ba080374dce7bbcaafd0a4bd4'
+</code>
+knowing that the first bit for both 17 bits and 25 bits LFSRs is 1 and the first 6 bytes of plaintext of the encryption are:
+<code>
+'ENCRYP'
+</code>
+Please download the skeleton from here: {{:sasc:res:dvd_css.zip|}}