RSA Laboratories

Contest Rules

The contest is based on the DES cipher. A brief piece of printable ASCII text (containing byte values in hexadecimal notation from 0x20 to 0x7e) will be appended to the fixed 24-character string "The unknown message is:". The result will be padded and then encrypted with the associated cipher under a randomly-generated key. The padding method used will be that specified in the RSA Laboratories' Public Key Cryptography Standards (PKCS) #7 document.

In particular, if the total plaintext to be encrypted is s bytes in length then, since DES has a block size of eight bytes, the plaintext will be padded with exactly 8-(s mod 8) bytes, each of which take the value 8-(s mod 8). As an example, if the complete plaintext requires exactly one additional byte to produce an integral number of plaintext blocks, then it is padded with the byte that has hexadecimal value 0x01. If the plaintext needs exactly two additional bytes, then it is padded with the bytes 0x02 0x02, and so forth. Finally, if the text needs no additional bytes to produce an integral number of plaintext blocks, then it is padded with eight bytes, each containing the value 0x08. This means that plaintexts with a length in bytes equal to a multiple of eight, are padded with the string 0x08 0x08 0x08 0x08 0x08 0x08 0x08 0x08.

Encryption of the padded plaintext will take place in CBC mode (cipher-block chaining mode), with a randomly-generated key and a randomly generated IV (initial value).

For example, if the mystery text for a DES challenge were "Clipper chips go well with salsa!" (thanks to Kazuo Ohta for introducing us to Clipper chips at Crypto!), then, after adding in the known header bytes and performing padding, the actual plaintext to be encrypted would be the following eight 64-bit blocks, in this order (shown in hexadecimal):

61 67 65 20 69 73 3a 20 43 6c 69 70 70 65 72 20
63 68 69 70 73 20 67 6f 20 77 65 6c 6c 20 77 69
74 68 20 73 61 6c 73 61 21 07 07 07 07 07 07 07

The ciphertext produced, of course, would depend on the key and the IV that is used for the encryption. For this example, the ciphertext would also consist of eight 64-bit blocks.

At the start of the contest, the ciphertext (the encrypted text) for that contest will be revealed, together with the IV used for the encryption. The first sender of the key that was used during encryption will win the prize for that contest.

The candidate key must be sent via email to RSA Data Security in precisely the fashion specified in the section "Format of Submissions", and the winning submission for a contest will be the one that was received first by RSA Data Security and processed and judged to be correct.

No employees of RSA Data Security or their relatives are eligible to participate or win prizes in any of RSA Data Security's cryptographic challenges.

RSA Data Security reserves the right to change the contest rules at any time at its sole discretion, without notice, including the right to change or extend the challenge lists, to change the prize amounts, and/or to terminate the contest. RSA Data Security is the sole arbiter and administrator for this contest; the judgment of RSA Data Security in all matters is final.

Queries on either the RSA Factoring Challenge or the RSA Secret-Key Challenge can be addressed to:

RSA Challenge Administrator
RSA Data Security, Inc.
2955 Campus Drive, Suite 400
San Mateo, California 94403-2507 - USA

If you have any questions regarding the RSA DES Challenge III, send email to

Top of Page