5199/IOC5063 Theory of Cryptology, 2014 Fall

Transcription

1 5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = for the RSA encryption. Assume that A has the keys (e 1, d 1 ) = (11, 26435) and B has public key (e 2, n) = (7, ). Assume that c = = m 7 mod n is sent to B. (a) Use a calculator to compute an equivalent d 2 of d 2 = e 1 2 mod φ(n) such that c d 2 mod n = m. From e 1 d 1 1 (mod φ(n)), we have k φ(n) = e 1 d 1 1 for some integer k. Then, we can compute an equivalent d 2 of d 2 = e 1 2 mod φ(n) under modulus k φ(n). If e 2 d 2 1 (mod k φ(n)), then e 2 d 2 = (k k) φ(n)+1 for some integer k. Thus, d 2 is equivalent to d 2. First, we compute k φ(146171) = Then, we use the extended Euclidean algorithm to compute d 2 = 7 1 mod By Table 1, we have d 2 = e 1 2 mod k φ(n) = 7 1 mod = mod = Table 1: gcd(x, y) = 1 ax + by = 1 x y x/y a b (b) Use the above d 2 to compute m. 1

2 We compute m = c d 2 mod n = mod = (c) Use a computer to factor n = pq = We find x and y 0 such that x 2 = y 2. Then, we can factor = x 2 y 2 = (x + y)(x y). By brute-force search, we found that x = 390 and y = 77. Thus, we have = (d) Compute y 1 = c d 1 mod p 1 mod p and y 2 = c d 1 mod q 1 mod q. Then, use the Chinese Remainder Theorem to compute m from y 1 and y 2. Compute y 1 = c d 1 mod p 1 mod p y 1 = c d 1 mod p 1 mod p = mod 312 mod 313 = mod 313 = 54 Compute y 2 = c d 1 mod q 1 mod q y 2 = c d 1 mod q 1 mod q = mod 466 mod 467 = mod 467 = 321 Compute m from y 1 and y 2 m = y 1 q (q 1 mod p) + y 2 p (p 1 mod q) mod n = (467 1 mod 313) (313 1 mod 467) mod = mod = This problem is about ElGamal encryption and signature schemes. Let p = 71 and g = 7 be a generator of Z 71. (a) Assume that the public key is (p, g, 53) and the secret key (p, g, 23). Encrypt the plaintext m = 12 and decrypt the ciphertext (24, 13). Encrypt the plaintext m = 12 (choose r = 2) (c 1, c 2 ) = (g r, my r ) mod p = (7 2, ) mod 71 = (49, 54) 2

3 Decrypt the ciphertext (24, 13). m = c 2 /c x 1 mod p = 13/24 23 mod 71 = 13/6 mod 71 = mod 71 = 14 (b) Use the secret key as the signing key to sign the message m = 22. The randomly chosen k is 13. You don t need to do hashing before signing. Compute r = g k mod p r = g k mod p = 7 13 mod 71 = 28 Compute s = k 1 (m rx) mod (p 1) s = k 1 (m rx) mod (p 1) = 13 1 ( ) mod 70 = 27 8 mod 70 = 6 Thus, the ElGamal signature of m = 22 is (r, s) = (28, 6). 3. Show formally that if f : {0, 1} 2r {0, 1} r is a collision-resistant compression function, then the hash function h : {0, 1} {0, 1} r by Merkle s meta construction is a collision-resistant function. Assume that (x, y) is a collision of h( ) such that x y but h(x) = h(y). In Merkle s meta construction, x is padded as x = x 1 x 2 x k x k+1 and y is padded as ỹ = y 1 y 2 y k y k +1, where x i = y j = r and x k+1 and y k +1 contain the length of x and y respectively. Let v i = f(v i 1 x i ) and v i = f(v i 1 y i ), where v 0 = v 0 are the initial vectors. We have v k+1 = h(x) = h(y) = v k +1. If x y, then x k+1 y k +1. Therefore, (v k x k+1, v k y k +1) is a collision of f( ) such that v k x k+1 v k y k +1 but f(v k x k+1 ) = v k+1 = v k +1 = f(v k y k +1). If x = y, then x k+1 = y k+1. Thus, (v k x k+1, v k y k+1) is a collision of f( ) if and only if v k v k. We examine (v i, v i) from i = k + 1 to 1. There must be an index i such that v i = v i but v i 1 x i v i 1 y i. Otherwise, we will have x = y. Note that if index i = 1, then it must be the case of x 1 y 1 since we have v 0 = v 0. Therefore, (v i 1 x i, v i 1 y i ) is a collision of f( ) such that v i 1 x i v i 1 y i but f(v i 1 x i ) = v i = v i = f(v i 1, y i ). 3

4 If (x, y) is a collision of h( ), then we can find a collision of f( ) during computing h(x) = h(y). However, f( ) is collision-resistant, so h( ) is collision-resistant, too. 4. Show that the regular RSA signature scheme is arbitrarily forgeable (forging the signature of any challenge message m) if the attacker is allowed to ask the signing oracle. Note that the challenge message m cannot be queries to the signing oracle. We forge the RSA signature σ of any challenge message m by querying the signing oracle the message m = m r e mod N, where r R Z N is chosen randomly. The signing oracle will return the signature σ = m d = m d r mod N. Then, we can compute the signature σ = σ /r = m d mod N. 5. For DSA, let the public key be (p = 149, q = 37, g = 96, y = 46), and the secret key be (p = 149, q = 37, g = 96, x = 67). Compute the signature of m = 17 and verify correctness of signature (r = 14, s = 23) for m = 23. Compute the signature of m = 17 (choose k = 2) r = (g k mod p) mod q = (96 2 mod 149) mod 37 = 127 mod 37 = 16 s = k 1 (m + rx) mod q = 2 1 ( ) mod 37 = mod 37 = 8 Thus, the DSA signature of m = 17 is (r, s) = (16, 8) Verify correctness of signature (r = 14, s = 23) for m = 23 ( ) (g m y r ) s 1 mod q mod p mod q ( ) = ( ) 23 1 mod 37 mod 149 mod 37 = ( mod 149) mod 37 = 28 mod Thus, (r, s) = (14, 23) is not a valid DSA signature of m = Manually compute the 4 plaintexts of c = 698 for the Rabin encryption system, where the public key is n = 713 and the secret key is (p = 23, q = 31). 4

5 Prime p = 23 is in the form of 4k +3. Compute the square roots of c = 698 in the group of Z 23 Sqrt 23 (698) = ± mod 23 = ±698 6 mod 23 = ±13 Prime q = 31 is in the form of 4k +3. Compute the square roots of c = 698 in the group Z 31 Sqrt 31 (698) = ± mod 31 = ±698 8 mod 31 = ±4 Use the Chinese Remainder Theorem to compute the square roots of c = 698 in the group Z 713: Sqrt 713 (698) = ±13 31 (31 1 mod 23) ± 4 23 (23 1 mod 31) mod 713 = ± ± mod 713 = ±496 ± 345 mod 713 = ±128 or ± Show formally that if the factorization problem of a composite number n = pq is hard, then the Rabin encryption scheme is secure (without querying any oracle). If the Rabin encryption scheme is not secure (without querying any oracle), the factorization problem is easy. We show that how to use adversary A of the Rabin encryption scheme to solve the factorization problem. Given a challenged instance n = p q of the factorization problem, choose x R Z n and compute y = x 2 mod n. Let (n, y) be a challenged instance of the Rabin encryption scheme. Invoke A(n, y) = x. If A can compute x such that x 2 y (mod n), A breaks the Rabin encryption scheme. We have x ±x (mod n) with probability 1 since x is chosen randomly. 2 Use (x, x ) to solve the factorization problem if x ±x (mod n) as follows: { x ±x (mod n) x 2 x 2 (mod n) { x ± x 0 (mod n) x 2 x 2 0 (mod n) x + x 0 (mod n) x x 0 (mod n) (x + x) (x x) 0 (mod n) gcd(n, x ± x) = p or q 5