Trondheim, December 12, 2006. TMA4155 Cryptography, Intro 2006-12-02 Problem 1 a. We need to find an inverse of 403 modulo (19 1)(31 1) = 540: 540 = 1 403 + 137 = 17 403 50 540 + 50 403 = 67 403 50 540 403 = 2 137 + 129 = 17 403 34 137 16 137 = 17 403 50 137 137 = 1 129 + 8 = 129 16 137 + 16 129 = 17 129 16 137 129 = 16 8 + 1 1 = 129 16 8 It is easy to verify that 67 403 50 540 = 1, so 67 is a suitable inverse and the private key is (589, 67). b. Key generation: We generate a key pair by finding two primes p and q of suitable size, compute the product n = pq, then find a pair of inverses e, d modulo (p 1)(q 1). The public (verification) key is (n, e), the private (signing) key is (n, d). Signing: The signing process takes as input the signing key (n, d) and the message to be signed m {0, 1,..., n 1}. It computes t = m d mod n, which is the signature on m. Verify: We verify that t is a valid signature on m under the public key (n, e) by checking that t e m (mod n). We know that m ed m (mod n), so any properly generated signature will be a valid signature. We compute t 2 67 (2 33 ) 2 2 411 2 2 467 2 345 (mod 589). One problem is that we can easily come up with many forgeries: Any 0 t < n is a valid signature on the message t e mod n. Another problem is that if we are given two signature t 1 and t 2 on the messages m 1 and m 2, then t 1 t 2 mod n is a signature on m 1 m 2 mod n. An attacker can exploit this if he can craft two innocent-looking messages whose product is not innocent-looking. (The theory is that the user will sign innocentlooking messages.) Problem 2 a. We compute ẽ 2 = 3 5 = 15, e 2 = 15, ẽ 3 = 2 5 = 10, e 3 = 10 and ẽ 5 = 2 3 = 6, e 5 = 6. (Note that ẽ j 1 (mod j) for j = 2, 3, 5.) A solution is then x 1 15 + 2 10 + 3 6 53 (mod 30). It is easy to check that 53 1 (mod 2), 53 2 (mod 3) and 53 3 (mod 5). 1
b. We compute g 2 = 3 15 mod 31 = 30 and a 2 = 11 15 mod 31 6 3 30 (mod 31). Therefore a 2 g2 1 (mod 31) and we get x 1 (mod 2). Next we compute g 3 = 3 10 mod 31 = 25 and a 3 = 11 10 mod 31 = 6 2 mod 31 = 5. Since the discrete logarithm of 5 to the base 25 can only take the values 0, 1 and 2, and we can exclude 0 and 1, we get x 2 (mod 3). Next we compute g 5 = 3 6 mod 31 = 16 and a 5 = 11 6 mod 31 = 4. We search for the discrete logarithm: 16 2 mod 31 = 8 mod 31, 16 3 mod 31 = (16 8) mod 31 = 4, and we get x 3 (mod 5). From the answer to the previous problem, we get that log 3 11 = 23. c. We start with 2 and compute 2 4! mod 253 = 2 24 mod 253 = 27. Then we compute gcd(2 4! 1, 253): 253 = 9 26 + 19 26 = 1 19 + 7 19 = 2 7 + 5 7 = 1 5 + 2 5 = 2 2 + 1. Since this did not work, we compute 2 5! mod 253 = 27 5 mod 253 = 12, and compute gcd(2 5! 1, 253): 253 = 23 11 + 0. The prime factors of 253 are 23 and 11. Problem 3 a. The Diffie-Hellman key agreement protocol establishes a shared key between two parties without any previous interaction. Two nice properties is that both parties contribute equally to the randomness in the shared secret, and once the randomness used in the protocols has been erased, no future compromises of the parties will compromise the shared key (so-called forward security). The protocol has as shared, public parameters a prime p and an element g of order n. Party A chooses a number a randomly from {0, 1,..., n 1}, computes x = g a mod p and sends x to party B. Party B chooses a number b randomly from {0, 1,..., n 1}, computes y = g b mod p and z = x b mod p, erases b, and sends y to party A. Party A computes z = y a mod p and erases a. A and B now share z. 2
With p = 17, g = 2: a 3 x 2 3 mod 17 = 8 z 15 3 mod 17 = 9 8 b 5 15 y 2 5 mod 17 = 15 z 8 5 mod 17 = 9 b. The man-in-the-middle attack on Diffie-Hellman is possible since there is no authentication in Diffie-Hellman. Party A cannot know if the message y comes from party B or from some other attacker. Party E simply inserts himself in the middle of the protocol, pretending to be party B to party A, and party A to party B, running two copies of the Diffie-Hellman protocol: a 3 x 8 z A 16 8 16 a 7, b 4 x 2 7 mod 17 = 9 y 2 4 mod 17 = 16 z A 8 4 mod 17 = 16 z B 15 7 mod 17 = 8 9 b 5 15 y 15 z B 8 One simple counter-measure against this attack is for each party to sign the messages in the protocol. Problem 4 a. A hash function is a function h from bit strings of arbitrary length to bit strings of fixed length. Preimage resistance Given a hash value y, it should be hard to find some x such that h(x) = y. Second preimage resistance Given a bit string x 1, it should be hard to find some x 2 x 1 such that h(x 1 ) = h(x 2 ). Collision resistance It should be hard to find x 1 x 2 such that h(x 1 ) = h(x 2 ). Hash functions should also be easy to compute (cost is linear in the length of the input). 3
b. We evaluate the Feistel structure 000 101 S 1 001 S 2 110 S 1 101 S 2 000 011 S 1 S 2 101 000 000 and get f(000 000 101 ) = 101 000 000. c. We make two observations: From the above Feistel diagram, the bits 0, 1 and 2 in the output depend only on bits 0, 1, 2, 9, 10 and 11 in the input, 3, 4 and 5 depend on 3, 4, 5, 12, 13 and 14, and 6, 7 and 8 depend on 6, 7, 8, 15, 16 and 17. The message is essentially split into three parts, each part is processed separately, and the outputs are concatenated. The second observation is that Feistel structures can be reversed, and the final left-hand side is not included in the output. The first observation says that we could apply the birthday paradox to one part. The second observation says that we could make a change in the final lefthand side, reverse the Feistel and have a collision. Combining the two observations, we know that if we make a small change in one part of the left-hand side and reverse the much smaller Feistel structure that computes this part, we find a collision. 4
We change the first bit of the left hand side to 1 and compute: 101 011 101 100 101 Therefore, 000 000 101 and 100 000 101 are collisions for f. TMA4155 Cryptography, Intro 2006-12-12 Problem 1 a. We need to find an inverse of 417 modulo (23 1)(29 1) = 616: 616 = 1 417 + 199 = 21 417 44 616 + 44 417 = 65 417 44 616 417 = 2 199 + 19 = 21 417 42 199 2 199 = 21 417 44 199 199 = 10 19 + 9 = 19 2 199 + 20 19 = 21 19 2 199 19 = 2 9 + 1 1 = 19 2 9 It is easy to verify that 65 417 42 616 = 1, so 65 is a suitable inverse and the private key is (667, 65). b. Key generation: We generate a key pair by finding two primes p and q of suitable size, compute the product n = pq, then find a pair of inverses e, d modulo (p 1)(q 1). The public (verification) key is (n, e), the private (signing) key is (n, d). Encryption: The encryption of a message m {0, 1,..., n 1} under the public key (n, e) is m e mod n. 5
Verify: The decryption of a ciphertext c {0, 1..., n 1} under the private key (n, d) is c d mod n. We know that m ed m (mod n), so decrypting an encryption of m will yield m. We compute t 2 65 (2 32 ) 2 2 219 2 2 541 (mod 667). One problem is that for messages smaller than the eth root of n, the decryption is easy to compute without the secret key. Another problem is that if we are given two ciphertexts c 1 and c 2 that are encryptions of the messages m 1 and m 2, respectively, then c = c 1 c 2 mod n is an encryption of m 1 m 2 mod n. An attacker can exploit this if he can fool the user into decrypting c. (The theory is that the user may be willing to reveal the decryption of messages if they seem meaningless.) Problem 2 a. Modulo 71, 7 can have orders: We compute: 70 35 14 10 7 5 2 1 7 7 14 (mod 71) 7 35 14 5 70 (mod 71) 7 14 14 2 54 (mod 71) 7 10 45 (mod 71) Therefore the order of 7 modulo 71 is 70. b. Since 70 8.4, we compute the table 7 0 1 (mod 71) 7 1 7 (mod 71) 7 2 49 (mod 71) 7 3 59 (mod 71) 7 4 58 (mod 71) 7 5 51 (mod 71) 7 6 2 (mod 71) 7 7 14 (mod 71) We compute 7 8 27 (mod 71) and find an inverse: 71 = 2 27 + 17 = 8 71 21 27 27 = 1 17 + 10 = 8 17 5 27 17 = 1 10 + 7 = 3 17 5 10 10 = 1 7 + 3 = 3 7 2 10 7 = 2 3 + 1 1 = 7 2 3 6
Our inverse is 50. Now we compute: 57 50 10 (mod 71) 57 50 2 3 (mod 71) 57 50 3 8 (mod 71) 57 50 4 45 (mod 71) 57 50 5 49 7 2 (mod 71) This gives us and log 7 57 = 42. 57 7 2 (7 8 ) 5 7 42 (mod 71) c. We compute: 2 2 + 1 5 (mod 253) (2 2 + 1) 2 + 1 26 (mod 253) gcd(21, 253) = 1 5 2 + 1 26 (mod 253) (26 2 + 1) 2 + 1 147 (mod 253) gcd(121, 253) = 11 We find that 253 = 11 23. Problem 3 a. Key generation: From the system parameters p and g (order of g is for simplicity p 1), we choose a {0, 1,..., p 2} at random and compute x = g a mod p. The public key is x, the private key is a. Encryption: We choose k {0, 1,..., p 2} at random and compute y = g k mod p, z = x k mod p. The ciphertext is c = (y, zm mod p). Decryption: The decryption of c = (y, w) is w(y a ) 1 mod p. Since w(y a ) 1 (g a ) k m((g k ) a ) 1 m (mod p), decryption of encryptions of m always yields m. For the secret key a = 11, we compute x = 2 11 mod p = 18 as the public key. Decryption of c = (3, 15): We compute (3 11 ) 1 3 11 3 17 2 (mod 29), and m = 15 2 mod 29 = 1. b. We know that 25 24 a 7 (mod 29), so (24 a ) 1 25 1 7 (mod 29). The decryption of (24, 3) is m 3 (24 a ) 3 25 1 7 (mod 29). We know that 25 4 (mod 29), and ( 4) 7 28 1 (mod 29), so m 3 7 2 2 (mod 29). 7
Problem 4 a. A key stream generator is an algorithm that on input of a key and an initialization vector outputs a given number of bits. A stream cipher encrypts a message m of length L with key k as follows: It chooses a random initialization vector iv, uses the key stream generator with input iv and k to generate L bits z, and outputs the ciphertext c = iv (m z). To decrypt the ciphertext c, it is first parsed as iv w, the key stream generator with input iv and k generates L bits z, and the message is w z. This works since m z z = m. Denote the output of the key stream generator with input iv and k as f(k, iv). If an initialization vector is used to encrypt m 1 two distinct messages m 2 (we may as well assume they are of equal length), we get two ciphertexts c 1 = iv w 1 and c 2 = iv w 2, where w 1 = m 1 f(k, iv, L) and w 2 = m 2 f(k, iv, L). Then w 1 w 2 = m 1 m 2 and from this information about m 1 and m 2 can often be recovered as in the two-time pad. b. We compute the output as shown in the following diagram: 1 0 1 1 1 0 0 1 0 0 0 1 1 0 1 1 1 1 0 1 1 1 0 0 0 1 The bits in blue come from the initialization vector, the bits in red are key bits, the violet bit is the parity bit, and the bits in black are the bits generated by the LFSR feedback. The dots above describe the LFSR feedback. The dots below the line describe the filter function, where dots connected by lines should be anded together and the dots in one row should be added together. The output is 0000 0000. c. From the above diagram, we see that the second output bit only depends on the bits from the initialization vector. Using the given initialization vector 0 0, we get that the second output bit is 1, which corresponds to the message being 0000. 8