TMA4155 Cryptography, Intro

Similar documents
The number theory behind cryptography

Discrete Mathematics & Mathematical Reasoning Multiplicative Inverses and Some Cryptography

ElGamal Public-Key Encryption and Signature

Public-key Cryptography: Theory and Practice

Diffie-Hellman key-exchange protocol

Linear Congruences. The solutions to a linear congruence ax b (mod m) are all integers x that satisfy the congruence.

Data security (Cryptography) exercise book

DUBLIN CITY UNIVERSITY

DUBLIN CITY UNIVERSITY

Public Key Cryptography Great Ideas in Theoretical Computer Science Saarland University, Summer 2014

Lecture 32. Handout or Document Camera or Class Exercise. Which of the following is equal to [53] [5] 1 in Z 7? (Do not use a calculator.

Block Ciphers Security of block ciphers. Symmetric Ciphers

Cryptography CS 555. Topic 20: Other Public Key Encryption Schemes. CS555 Topic 20 1

Solution: Alice tosses a coin and conveys the result to Bob. Problem: Alice can choose any result.

Classical Cryptography

Cryptography Math 1580 Silverman First Hour Exam Mon Oct 2, 2017

Network Security: Secret Key Cryptography

Cryptography. Module in Autumn Term 2016 University of Birmingham. Lecturers: Mark D. Ryan and David Galindo

Introduction to Cryptography CS 355

Chapter 4 The Data Encryption Standard

Cryptanalysis on short messages encrypted with M-138 cipher machine

Fermat s little theorem. RSA.

V.Sorge/E.Ritter, Handout 2

Mathematics Explorers Club Fall 2012 Number Theory and Cryptography

Ad Hoc Networks - Routing and Security Issues

Cryptography, Number Theory, and RSA

Math 319 Problem Set #7 Solution 18 April 2002

Merkle s Puzzles. c Eli Biham - May 3, Merkle s Puzzles (8)

MA/CSSE 473 Day 9. The algorithm (modified) N 1

EE 418: Network Security and Cryptography

Application: Public Key Cryptography. Public Key Cryptography

o Broken by using frequency analysis o XOR is a polyalphabetic cipher in binary

Example Enemy agents are trying to invent a new type of cipher. They decide on the following encryption scheme: Plaintext converts to Ciphertext

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

4. Design Principles of Block Ciphers and Differential Attacks

Cryptography. 2. decoding is extremely difficult (for protection against eavesdroppers);

Introduction to Cryptography

Generic Attacks on Feistel Schemes

Implementation and Performance Testing of the SQUASH RFID Authentication Protocol

CPSC 467: Cryptography and Computer Security

Symmetric-key encryption scheme based on the strong generating sets of permutation groups

Public Key Encryption

Stream Ciphers And Pseudorandomness Revisited. Table of contents

Example Enemy agents are trying to invent a new type of cipher. They decide on the following encryption scheme: Plaintext converts to Ciphertext

Public-Key Cryptosystem Based on Composite Degree Residuosity Classes. Paillier Cryptosystem. Harmeet Singh

MAT 302: ALGEBRAIC CRYPTOGRAPHY. Department of Mathematical and Computational Sciences University of Toronto, Mississauga.

The Chinese Remainder Theorem

The Chinese Remainder Theorem

EE 418 Network Security and Cryptography Lecture #3

CHAPTER 2. Modular Arithmetic

Introduction to Cryptography

Conditional Cube Attack on Reduced-Round Keccak Sponge Function

B. Substitution Ciphers, continued. 3. Polyalphabetic: Use multiple maps from the plaintext alphabet to the ciphertext alphabet.

Number Theory and Public Key Cryptography Kathryn Sommers

LECTURE NOTES ON SUBLIMINAL CHANNEL & COMMUNICATION SYSTEM

A Blueprint for Civil GPS Navigation Message Authentication

Xor. Isomorphisms. CS70: Lecture 9. Outline. Is public key crypto possible? Cryptography... Public key crypography.

Cryptanalysis of Ladder-DES

Identity-based multisignature with message recovery

DTTF/NB479: Dszquphsbqiz Day 30

Algorithmic Number Theory and Cryptography (CS 303)

Generic Attacks on Feistel Schemes

Chapter 3 LEAST SIGNIFICANT BIT STEGANOGRAPHY TECHNIQUE FOR HIDING COMPRESSED ENCRYPTED DATA USING VARIOUS FILE FORMATS

Lecture Notes in Computer Science,

RSA hybrid encryption schemes

Some Cryptanalysis of the Block Cipher BCMPQ

Design of Message Authentication Code with AES and. SHA-1 on FPGA

Principles of Ad Hoc Networking

Sequential Aggregate Signatures from Trapdoor Permutations

CS 261 Notes: Zerocash

DES Data Encryption standard

Overview. The Big Picture... CSC 580 Cryptography and Computer Security. January 25, Math Basics for Cryptography

CS70: Lecture 8. Outline.

MA 111, Topic 2: Cryptography

Cryptography s Application in Numbers Station

Vernam Encypted Text in End of File Hiding Steganography Technique

Proceedings of Meetings on Acoustics

Colored Image Ciphering with Key Image

Assignment 2. Due: Monday Oct. 15, :59pm

Random Bit Generation and Stream Ciphers

A Cryptosystem Based on the Composition of Reversible Cellular Automata

Security Note. BBM Enterprise

CDMA Physical Layer Built-in Security Enhancement

Internet Engineering Task Force (IETF) ISSN: May 2013

RSA hybrid encryption schemes

Exploring Signature Schemes with Subliminal Channel

Pseudorandom Number Generation and Stream Ciphers

Secured Bank Authentication using Image Processing and Visual Cryptography

Simple And Efficient Shuffling With Provable Correctness and ZK Privacy

FPGA Implementation of Secured Image STEGNOGRAPHY based on VIGENERE CIPHER and X BOX Mapping Techniques

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Minimization of Jamming Attack in Wireless Broadcast Networks Using Neighboring Node Technique

Successful Implementation of the Hill and Magic Square Ciphers: A New Direction

Differential Cryptanalysis of REDOC III

methods for subliminal channels Kazukuni Kobara and Hideki Imai Institute of Industrial Science, The University of Tokyo

ENHANCED SECURITY SYSTEM USING SYMMETRIC ENCRYPTION AND VISUAL CRYPTOGRAPHY

Primitive Roots. Chapter Orders and Primitive Roots

Journal of Discrete Mathematical Sciences & Cryptography Vol. ( ), No., pp. 1 10

SHA-3 and permutation-based cryptography

Security in Sensor Networks. Written by: Prof. Srdjan Capkun & Others Presented By : Siddharth Malhotra Mentor: Roland Flury

Transcription:

Trondheim, December 12, 2006. TMA4155 Cryptography, Intro 2006-12-02 Problem 1 a. We need to find an inverse of 403 modulo (19 1)(31 1) = 540: 540 = 1 403 + 137 = 17 403 50 540 + 50 403 = 67 403 50 540 403 = 2 137 + 129 = 17 403 34 137 16 137 = 17 403 50 137 137 = 1 129 + 8 = 129 16 137 + 16 129 = 17 129 16 137 129 = 16 8 + 1 1 = 129 16 8 It is easy to verify that 67 403 50 540 = 1, so 67 is a suitable inverse and the private key is (589, 67). b. Key generation: We generate a key pair by finding two primes p and q of suitable size, compute the product n = pq, then find a pair of inverses e, d modulo (p 1)(q 1). The public (verification) key is (n, e), the private (signing) key is (n, d). Signing: The signing process takes as input the signing key (n, d) and the message to be signed m {0, 1,..., n 1}. It computes t = m d mod n, which is the signature on m. Verify: We verify that t is a valid signature on m under the public key (n, e) by checking that t e m (mod n). We know that m ed m (mod n), so any properly generated signature will be a valid signature. We compute t 2 67 (2 33 ) 2 2 411 2 2 467 2 345 (mod 589). One problem is that we can easily come up with many forgeries: Any 0 t < n is a valid signature on the message t e mod n. Another problem is that if we are given two signature t 1 and t 2 on the messages m 1 and m 2, then t 1 t 2 mod n is a signature on m 1 m 2 mod n. An attacker can exploit this if he can craft two innocent-looking messages whose product is not innocent-looking. (The theory is that the user will sign innocentlooking messages.) Problem 2 a. We compute ẽ 2 = 3 5 = 15, e 2 = 15, ẽ 3 = 2 5 = 10, e 3 = 10 and ẽ 5 = 2 3 = 6, e 5 = 6. (Note that ẽ j 1 (mod j) for j = 2, 3, 5.) A solution is then x 1 15 + 2 10 + 3 6 53 (mod 30). It is easy to check that 53 1 (mod 2), 53 2 (mod 3) and 53 3 (mod 5). 1

b. We compute g 2 = 3 15 mod 31 = 30 and a 2 = 11 15 mod 31 6 3 30 (mod 31). Therefore a 2 g2 1 (mod 31) and we get x 1 (mod 2). Next we compute g 3 = 3 10 mod 31 = 25 and a 3 = 11 10 mod 31 = 6 2 mod 31 = 5. Since the discrete logarithm of 5 to the base 25 can only take the values 0, 1 and 2, and we can exclude 0 and 1, we get x 2 (mod 3). Next we compute g 5 = 3 6 mod 31 = 16 and a 5 = 11 6 mod 31 = 4. We search for the discrete logarithm: 16 2 mod 31 = 8 mod 31, 16 3 mod 31 = (16 8) mod 31 = 4, and we get x 3 (mod 5). From the answer to the previous problem, we get that log 3 11 = 23. c. We start with 2 and compute 2 4! mod 253 = 2 24 mod 253 = 27. Then we compute gcd(2 4! 1, 253): 253 = 9 26 + 19 26 = 1 19 + 7 19 = 2 7 + 5 7 = 1 5 + 2 5 = 2 2 + 1. Since this did not work, we compute 2 5! mod 253 = 27 5 mod 253 = 12, and compute gcd(2 5! 1, 253): 253 = 23 11 + 0. The prime factors of 253 are 23 and 11. Problem 3 a. The Diffie-Hellman key agreement protocol establishes a shared key between two parties without any previous interaction. Two nice properties is that both parties contribute equally to the randomness in the shared secret, and once the randomness used in the protocols has been erased, no future compromises of the parties will compromise the shared key (so-called forward security). The protocol has as shared, public parameters a prime p and an element g of order n. Party A chooses a number a randomly from {0, 1,..., n 1}, computes x = g a mod p and sends x to party B. Party B chooses a number b randomly from {0, 1,..., n 1}, computes y = g b mod p and z = x b mod p, erases b, and sends y to party A. Party A computes z = y a mod p and erases a. A and B now share z. 2

With p = 17, g = 2: a 3 x 2 3 mod 17 = 8 z 15 3 mod 17 = 9 8 b 5 15 y 2 5 mod 17 = 15 z 8 5 mod 17 = 9 b. The man-in-the-middle attack on Diffie-Hellman is possible since there is no authentication in Diffie-Hellman. Party A cannot know if the message y comes from party B or from some other attacker. Party E simply inserts himself in the middle of the protocol, pretending to be party B to party A, and party A to party B, running two copies of the Diffie-Hellman protocol: a 3 x 8 z A 16 8 16 a 7, b 4 x 2 7 mod 17 = 9 y 2 4 mod 17 = 16 z A 8 4 mod 17 = 16 z B 15 7 mod 17 = 8 9 b 5 15 y 15 z B 8 One simple counter-measure against this attack is for each party to sign the messages in the protocol. Problem 4 a. A hash function is a function h from bit strings of arbitrary length to bit strings of fixed length. Preimage resistance Given a hash value y, it should be hard to find some x such that h(x) = y. Second preimage resistance Given a bit string x 1, it should be hard to find some x 2 x 1 such that h(x 1 ) = h(x 2 ). Collision resistance It should be hard to find x 1 x 2 such that h(x 1 ) = h(x 2 ). Hash functions should also be easy to compute (cost is linear in the length of the input). 3

b. We evaluate the Feistel structure 000 101 S 1 001 S 2 110 S 1 101 S 2 000 011 S 1 S 2 101 000 000 and get f(000 000 101 ) = 101 000 000. c. We make two observations: From the above Feistel diagram, the bits 0, 1 and 2 in the output depend only on bits 0, 1, 2, 9, 10 and 11 in the input, 3, 4 and 5 depend on 3, 4, 5, 12, 13 and 14, and 6, 7 and 8 depend on 6, 7, 8, 15, 16 and 17. The message is essentially split into three parts, each part is processed separately, and the outputs are concatenated. The second observation is that Feistel structures can be reversed, and the final left-hand side is not included in the output. The first observation says that we could apply the birthday paradox to one part. The second observation says that we could make a change in the final lefthand side, reverse the Feistel and have a collision. Combining the two observations, we know that if we make a small change in one part of the left-hand side and reverse the much smaller Feistel structure that computes this part, we find a collision. 4

We change the first bit of the left hand side to 1 and compute: 101 011 101 100 101 Therefore, 000 000 101 and 100 000 101 are collisions for f. TMA4155 Cryptography, Intro 2006-12-12 Problem 1 a. We need to find an inverse of 417 modulo (23 1)(29 1) = 616: 616 = 1 417 + 199 = 21 417 44 616 + 44 417 = 65 417 44 616 417 = 2 199 + 19 = 21 417 42 199 2 199 = 21 417 44 199 199 = 10 19 + 9 = 19 2 199 + 20 19 = 21 19 2 199 19 = 2 9 + 1 1 = 19 2 9 It is easy to verify that 65 417 42 616 = 1, so 65 is a suitable inverse and the private key is (667, 65). b. Key generation: We generate a key pair by finding two primes p and q of suitable size, compute the product n = pq, then find a pair of inverses e, d modulo (p 1)(q 1). The public (verification) key is (n, e), the private (signing) key is (n, d). Encryption: The encryption of a message m {0, 1,..., n 1} under the public key (n, e) is m e mod n. 5

Verify: The decryption of a ciphertext c {0, 1..., n 1} under the private key (n, d) is c d mod n. We know that m ed m (mod n), so decrypting an encryption of m will yield m. We compute t 2 65 (2 32 ) 2 2 219 2 2 541 (mod 667). One problem is that for messages smaller than the eth root of n, the decryption is easy to compute without the secret key. Another problem is that if we are given two ciphertexts c 1 and c 2 that are encryptions of the messages m 1 and m 2, respectively, then c = c 1 c 2 mod n is an encryption of m 1 m 2 mod n. An attacker can exploit this if he can fool the user into decrypting c. (The theory is that the user may be willing to reveal the decryption of messages if they seem meaningless.) Problem 2 a. Modulo 71, 7 can have orders: We compute: 70 35 14 10 7 5 2 1 7 7 14 (mod 71) 7 35 14 5 70 (mod 71) 7 14 14 2 54 (mod 71) 7 10 45 (mod 71) Therefore the order of 7 modulo 71 is 70. b. Since 70 8.4, we compute the table 7 0 1 (mod 71) 7 1 7 (mod 71) 7 2 49 (mod 71) 7 3 59 (mod 71) 7 4 58 (mod 71) 7 5 51 (mod 71) 7 6 2 (mod 71) 7 7 14 (mod 71) We compute 7 8 27 (mod 71) and find an inverse: 71 = 2 27 + 17 = 8 71 21 27 27 = 1 17 + 10 = 8 17 5 27 17 = 1 10 + 7 = 3 17 5 10 10 = 1 7 + 3 = 3 7 2 10 7 = 2 3 + 1 1 = 7 2 3 6

Our inverse is 50. Now we compute: 57 50 10 (mod 71) 57 50 2 3 (mod 71) 57 50 3 8 (mod 71) 57 50 4 45 (mod 71) 57 50 5 49 7 2 (mod 71) This gives us and log 7 57 = 42. 57 7 2 (7 8 ) 5 7 42 (mod 71) c. We compute: 2 2 + 1 5 (mod 253) (2 2 + 1) 2 + 1 26 (mod 253) gcd(21, 253) = 1 5 2 + 1 26 (mod 253) (26 2 + 1) 2 + 1 147 (mod 253) gcd(121, 253) = 11 We find that 253 = 11 23. Problem 3 a. Key generation: From the system parameters p and g (order of g is for simplicity p 1), we choose a {0, 1,..., p 2} at random and compute x = g a mod p. The public key is x, the private key is a. Encryption: We choose k {0, 1,..., p 2} at random and compute y = g k mod p, z = x k mod p. The ciphertext is c = (y, zm mod p). Decryption: The decryption of c = (y, w) is w(y a ) 1 mod p. Since w(y a ) 1 (g a ) k m((g k ) a ) 1 m (mod p), decryption of encryptions of m always yields m. For the secret key a = 11, we compute x = 2 11 mod p = 18 as the public key. Decryption of c = (3, 15): We compute (3 11 ) 1 3 11 3 17 2 (mod 29), and m = 15 2 mod 29 = 1. b. We know that 25 24 a 7 (mod 29), so (24 a ) 1 25 1 7 (mod 29). The decryption of (24, 3) is m 3 (24 a ) 3 25 1 7 (mod 29). We know that 25 4 (mod 29), and ( 4) 7 28 1 (mod 29), so m 3 7 2 2 (mod 29). 7

Problem 4 a. A key stream generator is an algorithm that on input of a key and an initialization vector outputs a given number of bits. A stream cipher encrypts a message m of length L with key k as follows: It chooses a random initialization vector iv, uses the key stream generator with input iv and k to generate L bits z, and outputs the ciphertext c = iv (m z). To decrypt the ciphertext c, it is first parsed as iv w, the key stream generator with input iv and k generates L bits z, and the message is w z. This works since m z z = m. Denote the output of the key stream generator with input iv and k as f(k, iv). If an initialization vector is used to encrypt m 1 two distinct messages m 2 (we may as well assume they are of equal length), we get two ciphertexts c 1 = iv w 1 and c 2 = iv w 2, where w 1 = m 1 f(k, iv, L) and w 2 = m 2 f(k, iv, L). Then w 1 w 2 = m 1 m 2 and from this information about m 1 and m 2 can often be recovered as in the two-time pad. b. We compute the output as shown in the following diagram: 1 0 1 1 1 0 0 1 0 0 0 1 1 0 1 1 1 1 0 1 1 1 0 0 0 1 The bits in blue come from the initialization vector, the bits in red are key bits, the violet bit is the parity bit, and the bits in black are the bits generated by the LFSR feedback. The dots above describe the LFSR feedback. The dots below the line describe the filter function, where dots connected by lines should be anded together and the dots in one row should be added together. The output is 0000 0000. c. From the above diagram, we see that the second output bit only depends on the bits from the initialization vector. Using the given initialization vector 0 0, we get that the second output bit is 1, which corresponds to the message being 0000. 8

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback