cryptopals

s1.md (9071B)

---

 ### Set 1
 
 #### 1.1
 
 We want to go from hex (i.e., base 16) to base64 (i.e., base.. uh, 64).  So
 we'll change from the representation:
 
     .. + a2 * 16^2 + a1 * 16^1 + a0 * 16^0
 
 for some (decimal-equivalent) coefficients {a0, a1, .. } in the alphabet
 0-9a-f, to the representation:
 
     .. + b2 * 64^2 + b1 * 64^1 + b0 * 64^0
 
 for other coefficients {b0, b1, .. } in the alphabet A-Za-z0-9\+/.
 
 `xxd` is a hexdump utility; one can use `xxd -r` to go from hex to binary, or
 `xxd -r -p` to go from hex to UTF8:
 
     $ echo $(xxd -r -p data/s1/q1_input.txt)
     I'm killing your brain like a poisonous mushroom
 
 The BSD `base64` utility gets one the rest of the way.  An empty diff confirms
 equality:
 
     $ diff <(xxd -r -p data/s1/q1_input.txt | base64) data/s1/q1_output.txt
 
 #### 1.2
 
 Fixed-xor just encrypts by xoring every bit with some corresponding bit.
 An example, using `xxd -b` to output bits this time:
 
     $ parallel -k 'echo -n {} | xxd -b' ::: FAB ICE
     00000000: 01000110 01000001 01000010                             FAB
     00000000: 01001001 01000011 01000101                             ICE
 
 So xoring 'FAB' with 'ICE' can be done manually -- one just computes the
 bitwise xor:
 
     0100 0110 0100 0001 0100 0010
     0100 1001 0100 0011 0100 0101
 
     0000 1111 0000 0010 0000 0111
 
 In hex that's '0f0207'; we can use `bc` to calculate it; note it's not
 zero-padded:
 
     $ echo 'obase=16; ibase=2; 000011110000001000000111' | bc
     F0207
 
 The `fixed-xor` executable included will perform the reverse task on the
 (zero-padded) hex string:
 
     $ fixed-xor '0f0207' $(echo -n ICE | xxd -p) | xxd -r -p
     FAB
 
 and running `fixed-xor` on the question input yields the following:
 
     $ SOLUTION=$(fixed-xor $(< data/s1/q2_input0.txt) $(< data/s1/q2_input1.txt))
     746865206b696420646f6e277420706c6179
 
 The UTF8 encoding is fun:
 
     $ echo $SOLUTION | xxd -r -p
     the kid don't play
 
 #### 1.3
 
 (N.b., it's easy to memorize the (approximate) ranking of the most
 commonly used characters in English. ETAOIN SHRDLU CMFWYP etc.)
 
 Here we want to determine which byte has been used to produce a known
 single-byte xor'd ciphertext. One wants to score bytes by their
 "closeness" to what might be expected given typical English character
 frequencies, then check the scores of the ciphertext single-byte-xor'd
 against various bytes.
 
 Here we can grab a table of UTF8 character frequencies
 found in English corpora on the interwebs; I used [this
 guy's](http://www.fitaly.com/board/domper3/posts/136.html). One can then
 "score" bytestrings by e.g. calculating the mean squared error between
 an observed frequency distribution and this expected one.
 
 In single-byte xor, the entire input has simply been xor'd by.. a single
 byte. Take plaintext 'hello' and '?', for example:
 
     $ parallel 'echo -n {} | xxd -b' ::: hello ?
     00000000: 01101000 01100101 01101100 01101100 01101111           hello
     00000000: 00111111                                               ?
 
 Repeating '?' as many times as is necessary and manually xoring bitwise yields:
 
     01101000 01100101 01101100 01101100 01101111
     00111111 00111111 00111111 00111111 00111111
 
     01010111 01011010 01010011 01010011 01010000
 
 (N.b. it's worth noting that bitwise xor is simply addition modulo 2 -- i.e.,
 addition in GF(2), the Galois field of two elements.)
 
 The result in UTF8, going through hex, is:
 
     $ echo 'obase=16; ibase=2; 0101011101011010010100110101001101010000' | \
         bc | xxd -r -p
     WZSSP
 
 Since xor is its own inverse, going backwards will get us 'hello' again.
 
 For the actual question here: given an input, one can iterate over the UTF8
 printable bytes (in decimal, 32-126), compute the single-byte xor against it,
 and calculate its MSE.  The result with the smallest MSE is probably the byte
 that was used to encrypt it.
 
 Using a binary that does that, we get:
 
     $ break-single-byte-xor $(cat data/s1/q3_input.txt | tr -d '\n') | \
         xxd -r -p
     cryptopals: input similarity score is 4.760245723733781e-3
     cryptopals: xor-ing with 88 yields 1.1213430401648154e-3
     cryptopals: result
     Cooking MC's like a pound of bacon
 
 #### 1.4
 
 The idea in detecting single-byte XOR is to look for an unusually high
 frequency of particular bytes. Natural English sentences will produce
 some characters (e.g. ETAOIN.., whitespace) with high frequency, and
 these when XOR'd qgainst a single byte will always produce the same
 result. Inputs with a large number of repeated bytes should thus be
 considered suspect.
 
 The `detect-single-byte-xor` executable will prune out the most suspect
 inputs included in a file. Piping the results to `break-single-byte-xor`
 exposes the enciphered text; some relevant output is highlighted below:
 
     ```
     $ detect-single-byte-xor data/s1/q4_input.txt | \
         parallel --keep-order 'break-single-byte-xor {} | xxd -r -p'
     cryptopals: suspect inputs
     cryptopals: 7b5a4215415d544115415d5015455447414c155c46155f4058455c5b523f
     cryptopals: input similarity score is 3.016788883590278e-3
     cryptopals: xor-ing with 76 yields 7.568718315873016e-4
     cryptopals: result
     Now that the party is jumping
     ```
 
 #### 1.5
 
 Repeating-key XOR just cyclically XOR's bytes in the plaintext against
 bytes in the key:
 
     $ sec=$(repeating-key-xor ICE "$(< data/s1/q5_input.txt)")
     $ echo $sec | fold -w 74
     0b3637272a2b2e63622c2e69692a23693a2a3c6324202d623d63343c2a2622632427276527
     2a282b2f20430a652e2c652a3124333a653e2b2027630c692b20283165286326302e27282f
 
 Note the `repeating-key-xor` binary assumes its input isn't hex-encoded,
 so if we want to decrypt the ciphertext we'll need to pipe it through
 `xxd` when going in reverse:
 
     $ repeating-key-xor ICE "$(echo $sec | xxd -r -p)" | xxd -r -p
     Burning 'em, if you ain't quick and nimble
     I go crazy when I hear a cymbal
 
 #### 1.6
 
 First, determining a keysize for a suspected repeating-key XOR'd
 ciphertext. I use an average pairwise normalised Hamming distance; one
 breaks the ciphertext into chunks of a specific size, then calculates
 the number of differing bits for every pair of chunks, normalising by
 the chunk size, and then averages them all together.
 
     $ detect-repeating-key-xor-keysize "$(< data/s1/q6_input.txt)"
     cryptopals: keysize of 29 yields minimum score of 2.7856894063790736
 
 Then to guess the key itself, one chunks the input into blocks of the
 appropriate size and transposes the result, so that every byte in a
 transposed block has (if the ciphertext has indeed been produced by
 repeating-key XOR, and the keysize guess is correct) been XOR'd against
 a single byte. Doing that and breaking each block individually yields
 the key:
 
     $ input_hex=$(cat data/s1/q6_input.txt | base64 -d | xxd -p | tr -d '\n')
     $ key=$(rotate 29 $input_hex | \
         parallel -k 'break-single-byte-xor -l {}' 2> /dev/null | tr -d "\n'")
     $ echo $key
     Terminator X: Bring the noise
 
 Use `repeating-key-xor` with the key to recover the plaintext:
 
     $ repeating-key-xor "$key" --hex "$input_hex" | xxd -r -p | head -2
     I'm back and I'm ringin' the bell
     A rockin' on the mike while the fly girls yell
 
 #### 1.7
 
 Here we're doing AES-128 decryption in ECB mode. AES (Advanced
 Encryption Standard) is a substitution-permutation based block cipher
 with a fixed 128 bit (i.e. 16 byte) block size; AES-128 means the
 keysize is also 128 bits.
 
 ECB means "electronic codebook," the simplest block cipher encryption
 mode. One divides a message into 16-byte blocks and then encrypts each
 block independently.
 
 It's worth using the `openssl` command-line tool here just to get a feel
 for it:
 
     $ key=$(echo -n 'YELLOW SUBMARINE' | xxd -p)
     $ openssl enc -aes-128-ecb \
         -a -d -K "$key" -nosalt \
         -in data/s1/q7_input.txt | head -2
     I'm back and I'm ringin' the bell
     A rockin' on the mike while the fly girls yell
 
 The `aes` binary I've cooked up (using `cryptonite` under the hood) will
 similarly do the trick:
 
     $ key=$(echo -n "YELLOW SUBMARINE" | xxd -p)
     $ ciphertext=$(cat data/s1/q7_input.txt | base64 -d | xxd -p | tr -d '\n')
     $ aes decrypt ecb "$key" "$ciphertext" | xxd -r -p | head -2
     I'm back and I'm ringin' the bell
     A rockin' on the mike while the fly girls yell
 
 #### 1.8
 
 Under ECB mode, the same 16 bytes will always encrypt to the same
 output, so we can look for repeating bytes to detect ECB mode-encrypted
 ciphertext:
 
     $ cat data/s1/q8_input.txt | parallel \
       'echo -n {} | fold -w 16 | printf "%s %u\n" {} $(datamash countunique 1)' | \
       awk '{ if ($2 < 20) { print $1 }; }' | fold -w 64
     d880619740a8a19b7840a8a31c810a3d08649af70dc06f4fd5d2d69c744cd283
     e2dd052f6b641dbf9d11b0348542bb5708649af70dc06f4fd5d2d69c744cd283
     9475c9dfdbc1d46597949d9c7e82bf5a08649af70dc06f4fd5d2d69c744cd283
     97a93eab8d6aecd566489154789a6b0308649af70dc06f4fd5d2d69c744cd283
     d403180c98c8f6db1f2a3f9c4040deb0ab51b29933f2c123c58386b06fba186a
 
 The `Cryptopals.Block.Tools.detectMode` function produces the same
 result by doing much the same thing.