DUBLIN CITY UNIVERSITY SEMESTER ONE EXAMINATIONS 2013/2014 MODULE: CA642/A Cryptography and Number Theory PROGRAMME(S): MSSF MCM ECSA ECSAO MSc in Security & Forensic Computing M.Sc. in Computing Study Abroad (Engineering & Computing) Study Abroad (Engineering & Computing) YEAR OF STUDY: 1,2,C,O,X EXAMINERS: Prof. M. O Neill, Dr. B. Lee, Dr. G. Hamilton, Ext no. 5017. TIME ALLOWED: 3 hours INSTRUCTIONS: Please answer ALL questions. All questions carry equal marks. Please do not turn over this page until instructed to do so The use of programmable or text storing calculators is expressly forbidden. PAGE 1 OF 8
QUESTION 1 [TOTAL MARKS: 20] 1(a) Calculate 117 1 (mod 191) and use this to calculate 77/117 (mod 191). We need to use the extended Euclidean GCD algorithm to calculate this: So: 191 = 117 + 74 117 = 74 + 43 74 = 43 + 31 43 = 31 + 12 31 = (12 2) + 7 12 = 7 + 5 7 = 5 + 2 5 = (2 2) + 1 74 = 191 117 43 = 117 74 = 117 (191 117) = (2 117) 191 31 = 74 43 = 191 117 (2 117) + 191 = (2 191) (3 117) 12 = 43 31 = (2 117) 191 (2 191) + (3 117) = (5 117) (3 191) 7 = 31 (12 2) = (2 191) (3 117) (10 117) + (6 191) = (8 191) (13 117) 5 = 12 7 = (5 117) (3 191) (8 191) + (13 117) = (18 117) (11 191) 2 = 7 5 = (8 191) (13 117) (18 117) + (11 191) = (19 191) (31 117) 1 = 5 (2 2) = (18 117) (11 191) (38 191) + (62 117) = (80 117) (49 191) So 117 1 (mod 191) = 80 77/117 (mod 191) = 77 80 (mod 191) = 48 1(b) Calculate φ(20), where φ is the Euler Totient function. Use this to calculate 23 615 (mod 20). φ(20) = 8 23 615 (mod 20) = 3 615 (mod φ(20)) (mod 20) = 3 615 (mod 8) (mod 20) = 3 7 (mod 20) = 7 1(c) Calculate the least significant decimal digit of 77737 5373. This is 77737 5373 (mod 10) = 7 1 = 7 1(d) Find all the square roots of 11 mod 35. Since 7 3 (mod 4), 11 (mod 7) = ±11 2 (mod 7) = ±2 (mod 7) PAGE 2 OF 8
Since 5 5 (mod 8), 11 (mod 5) = ±1 (mod 5) Using the Chinese Remainder Theorem, we can calculate the square roots as: ±9, ±16. QUESTION 2 [TOTAL MARKS: 20] 2(a) Compare and contrast stream ciphers and block ciphers. Block ciphers encrypt one block of data at at time, while stream ciphers encrypt an arbitrary stream of data. Stream ciphers use simpler arithmetic, so tend to be more efficient, but block ciphers are more versatile and can also be used to implement stream ciphers. 2(b) [8 Marks] Describe the Cipher Block Chaining (CBC) mode of operation for block ciphers (use diagrams if necessary). What is the role of the Initialisation Vector (IV)? What are the dangers if an IV is: tampered with known to an attacker reused with the same key The IV is used to give an initial value for the first block; this should be different for different messages to hide patterns and repetitions. Someone tampering with the IV could tamper with the resulting plaintext on decryption. There is no problem if the IV is known to an attacker, but if an IV is reused with the same key, patterns and repetitions within the underlying messages can be revealed. 2(c) [7 Marks] Compare and contrast the Output Feed Back (OFB) and Cipher Feed Back (CFB) modes of operation for block ciphers with respect to the following (use diagrams if necessary): Encryption Decryption Error propagation In OFB mode, the keystream is generated by first encrypting the IV, selecting some bits of this for the keystream, and then feeding back the output of the encryption for further processing in the PAGE 3 OF 8
same way. The ciphertext is obtained from the exclusive-or of the keystream with the plaintext, and the plaintext can be recovered from the ciphertext by exclusive-or with the keystream. In CFB mode, the keystream is generated by first encrypting the IV, selecting some bits of this for the keystream, obtaining the corresponding ciphertext from the exclusive-or of this keystream with the plaintext, and then feeding back this ciphertext for further processing in the same way. The plaintext is also recovered from the ciphertext by exclusive-or with the keystream. In OFB mode, errors are only copied and none are propagated. In CFB mode, errors are propagated over n/j + 1 blocks where n is the input block size and j is the output block size. QUESTION 3 [TOTAL MARKS: 20] Consider the following graphical representation of the FEAL-4 cipher: 3(a) What weakness in its design leaves FEAL-4 open to linear cryptanalysis? PAGE 4 OF 8
The existence of linear relationships between the inputs and outputs of the round function leaves FEAL-4 open to linear cryptanalysis. 3(b) [10 Marks] Describe in detail how you would go about launching a linear cryptanalysis attack on FEAL-4. This was the subject of a major course project, so the students should know this in detail. 3(c) Is there any small change to the design of FEAL-4 that you can suggest that could strengthen it? The addition of any non-linear component such as a non-linear S-Box would suffice. QUESTION 4 [TOTAL MARKS: 20] 4(a) [7 Marks] Describe the Merkle Damgård construction which is often used in the implementation of hash functions. What properties are required for a hash function to be considered to be cryptographically secure and why? The Merkle Damgård construction divides the message M into fixed-length blocks M 1, M 2, etc., pads the last block and appends the message length to the last block. We denote the resultant last block (after all paddings) by M n. Then, the hash function applies a collision-free function H on each of the blocks sequentially. The function H takes as input the result of the application of H on the previous block (or a fixed initial value IV in the first block), and the block itself, and outputs a hash value. This hash value is an input to the application of H on the next block. To be considered cryptographically secure, a hash function should be pre-image resistant and collision-free. A hash function is pre-image resistant if it is computationally infeasible to recover data from its digest. This is important because the original data may need to be kept secret. A hash function is weakly collision-free or second pre-image resistant if, given M, it is computationally infeasible to find a different M such that H(M) = H(M ). It is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ). A hash function is strongly collision-free if it is computationally infeasible to find different messages M and M such that H(M) = H(M ). These are important because being able to find collisions relatively easily allows an attacker to replace one message with another which they have found to have the same digest. 4(b) [8 Marks] What properties are required for a cryptographically secure pseudorandom number generator? Describe the Blum Blum Shub pseudorandom number generator, and explain why it is cryptographically secure. PAGE 5 OF 8
Some properties required for a cryptographically secure pseudorandom number generator are as follows: Randomness Uniformity, scalability, consistency Unpredictability Cannot determine what next bit will be despite knowledge of the algorithm and all previous bits. Unreproducable Cannot be reliably reproduced without knowing the seed. Characteristics of the seed: Must be kept secret If known, adversary can determine output Must be random or pseudorandom number The Blum Blum Shub pseudorandom number generator works as follows: Find two large primes p, q congruent to 3 (mod 4) where m = p q Calculate the seed as: X 0 = k 2 mod m (k relatively prime to m) Use the least significant bit from the iterative equation: X n+1 = X 2 n mod m This is cryptographically secure because to be able to determine the seed we would need to determine square roots on a composite modulus. If we were able to do this, then we would be able to factor the modulus (which is a known hard problem) so this problem is at least as hard. 4(c) Describe how a hash function can be used to implement a cryptographically secure pseudorandom number generator. Hash functions can be used to implement a cryptographically secure pseudorandom number generator (PRNG) as follows: First seed the PRNG with some random data S. This is then hashed to produce the first internal state S 0 = H(S). By repeatedly calling H we can generate a sequence of internal states S 1, S 2,..., using S i = H(S i 1 ). From each state S i we can extract bits to produce a random number N i. This PRNG is secure if the sequence of values S, S 0, S 1,... is kept secret and the number of bits of S i used to compute N i is relatively small. PAGE 6 OF 8
QUESTION 5 [TOTAL MARKS: 20] 5(a) [6 Marks] Describe in detail how the Rabin cryptosystem works. Your description should include how public and private key pairs are generated, how encryption and decryption are performed, and the level of security provided. The Rabin cryptosystem works as follows: Generate two large primes p and q of roughly the same size and compute N = pq. Public key is N and private key = (p, q). To encrypt a message represent it as an integer m {0, 1,..., N 1} and calculate ciphertext c = m 2 (mod N) To recover a message m from a ciphertext c calculate m = c (mod N) Breaking the Rabin cryptosystem can be shown to be no harder than integer factorisation, and is as hard if appropriate values are selected for the keys. 5(b) [6 Marks] Show how the Pollard p 1 method for integer factorisation works. Use it to find the factors of 209 using a smoothness bound B = 6. The Pollard p 1 method for the factorisation of integer N works as follows: 1. Select a value a s.t. gcd(a,n) = 1 2. Find all the primes p 1... p n < B and the corresponding exponents e i s.t. p ei i 3. Calculate M = n i=1 pei i. This computes the least common multiple of all positive integers up to B. The intention is that M is a multiple of p 1, where p is one of the prime factors of N; this will be the case if p 1 is B-powersmooth. If (p 1) M then a M 1 (mod p) by Fermat s little theorem, so p gcd(a M 1, N). 4. Calculate gcd(a M 1,N) and if this is neither 1 nor N, then it is a factor of N. Since 209 is odd, we use a = 2. The primes p i < B are 2, 3, 5 and the corresponding exponents e i s.t. p ei i B are 2, 1, 1 respectively. We calculate M = 2 2 3 1 5 1 = 60 2 60 (mod 209) = 45 and gcd(44,209)= 11. So 11 is one factor and we can easily determine that 19 is the other. B 5(c) [8 Marks] Describe how decryption in the Rabin cryptosystem can be performed with knowledge of the prime factors of the modulus. Use the described method to determine the four plaintexts which are possible decrypts of the ciphertext 130 when the PAGE 7 OF 8
public key N = 209. How can we determine which one of these plaintexts is the correct one? We need to compute 130 (mod 209). Since we know the factors of 209 are 11 and 19, we can compute: 130 (mod 11) = ±9 3 (mod 11) = ±729 (mod 11) = ±3 130 (mod 19) = ±16 5 (mod 19) = ±1048576 (mod 19) = ±4 Combining these values using the Chinese Remainder Theorem, we obtain the four possible square roots ±80 and ±91. The four possible messages are therefore 80, 129, 91 and 118. To determine which one of these plaintexts is the correct one, we need to have added redundancy to the original plaintext, and check for this same redundancy in the decrypts. [END OF EXAM] PAGE 8 OF 8