CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 12 Jan. 2017, 14:00-18:00

Transcription

1 CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 Jan. 2017, 14:00-18:00 No extra materal s allowed durng the exam except for pens and a smple calculator (not smartphones). No other electronc devces allowed. Your answers n the exam must be wrtten n Englsh. Your language sklls wll not be graded (but of course we cannot grade your answer f we do not understand t), so try to gve clear answers. Your thoughts and ways of reasonng must be clearly understood! Teacher: Elena Pagnn Examner: Akatern Mtrokotsa Questons durng the exam: Elena Pagnn (phone ) Inspecton of exam: See web page for announcement. The exam has 4 topcs and some bonus questons to gan extra ponts. The total number of ponts s 100 ponts (+ 8 bonus ponts). Grades are : CTH Grades: , , 90 or above 5 GU Grades: G, 90 or above VG Good luck! 1

2 Symmetrc Cphers (20p) 1. Consder the message m = HKPUFCMHY BHDDXZH, and let (E, D) be a substtuton cpher. (a) Decrypt m usng the followng (secret) substtuton key: plan cpher a b c d e f g h j k l m n o p q r s t u v w x y z X G P Y H Q Z I R A J S B K T C L U D M V E N W F O Usng the gven substtuton key we see that the decrypton of m s: encrypted message. (b) Can ths cpher be broken by someone who has access to m but not to the secret key? Why? (3p) No (1p), the cphertext s too short. (1p) Any message matchng the followng pattern s a possble plantext: (1p)? 1? 2? 3? 4? 5? 6? 7? 1? 8? 9? 1? 10? 10? 11? 12? 1 Other possble decryptons are: rghtward broomer, embroaden lettuce, equlobed terrace. 2. Let (E, D) be a (one-tme) semantcally secure cpher, where the messages, cphertexts and keys are bnary strngs, e.g., you can thnk M = C = K = {0, 1} n, wth n 2. Are the followng encrypton schemes, derved from (E, D), semantcally secure or not? Explan why (no need for formal proofs, but your motvatons should be well-justfed). Why do we requre n 2? Would n = 1 provde dfferent answers? (1 bonus pont) (a) E (k, m) = E(k, m) 1, where 1 denotes the strng wth all ones. (b) E (k, m) = E(k, m) RB(m), where RB(m) gves back a random bt of the nput m. (c) E (k, m) = E(k, m) RB(k), where RB(k) gves back a random bt of the nput k. (a) The encrypton scheme s semantcally secure. The cphertexts of E are smply the cphertexts of E flpped. Thus, t s easy to see that any attack aganst E can be turn nto an attack aganst E (whch s semantcally secure by assumpton). (b) The encrypton scheme s not semantcally secure. The adversary could use the folowng strategy to wn the semantc securty game. Choose m 0 = 0 (the all-0 message) and m 1 = 1 (the all-1 message). Return RB(m) as b, the guess for the b chosen by the adversary to produce the challenge cphertext. (c) The encrypton scheme s semantcally secure. Although E s leakng one bt of the key, t does not harm (gven that the key s longer than 1 bt, n 2 (1p)), snce a randomly chosen keys, wll have both 0 and 1 bts. Thus, the adversary cannot retreve any useful nformaton from RB(k). 3. Does the OTP (One Tme Pad) cpher acheve perfect secrecy? Prove t. (9p) (Hnt: you can start by quckly descrbng how the OTP cpher works and how perfect secrecy s defned). 2

3 Yes, the OTP cpher s perfect secret. The OTP Cpher (E,D) over the message-space M = {0, 1} n, the keys-pace K = {0, 1} n and the cphertext-space C = {0, 1} n (where n s a postve nteger), s defned as follows. For every key k R K: E(k, ) : M C, E(k, m) = m k, for any m M. D(k, ) : C M, D(k, c) = c k, for any m M. The noton of perfect secrecy states that, for all m 0, m 1 M such that len(m 0 ) = len(m 1 ), and for all c C (1p) t holds that: Prob[E(k, m 0 ) = c] = Prob[E(k, m 1 ) = c] where k s chosen unformly at random from K (k R K). In order to prove that the OTP cpher has perfect secrecy we need to show that Prob[E(k, m) = c] s a constant value (the same for all possble messages m M). (1p) Now, Prob[E(k, m) = c] s the probablty that there exsts a key k K that encrypts m n the cphertext c. For how the OTP encrypton s defned, there s only one key that encrypts m n c, namely k = m c. Therefore, Prob[E(k, m) = c] = number of keys that encrypt m nto c number of total keys = k K : E(k,m)=c K = 1 K = 1 2 n (1p) (1p) By replacng m wth m 0 and m 1 we get that: Prob[E(k, m 0 ) = c] = Prob[ k K : k m 0 = c] = 1 K = 1 2 n = Prob[E(k, m 1) = c]. Therefore OTP has perfect secrecy. Publc Key Encrypton (30p) 4. Descrbe the ElGamal encrypton scheme. (6p) (Hnt: wrte down nput, output and behavour of the algorthms). The ElGamal encrypton scheme s made by the three algorthm (KeyGen, Enc, Dec), defned as follows. KeyGen(λ) (pk, sk), s the key generaton algorthm. It takes as nput the securty parameter λ and generates the descrpton of a cyclc group G =< g > of order q (where q s a λ-bt long nteger). Then t chooses a random value x R {1, 2,... q 1} and computes h = g x G. The output s the secret key sk = x and the publc key pk = (G, g, q, h). Enc(pk, m) c = (c 1, c 2 ), s the encrypton algorthm. It takes as nput the publc key and a message m G and outputs the cphertext c G G. As a frst step, the algorthm generates a random value r R {1, 2,..., q 1} and computes c 1 = g r G. Then t computes c 2 = mh r G. Dec(sk, c) m s the encrypton algorthm. It takes as nput the secret key and a cphertext c G G. The decrypton works as follows. Frst t computes k = c x 1 G. Then t computes m = c 2 k 1 G. 5. Defne the IND-CCA securty game (ndstngushablty chosen cphertext attack) and show that the ElGamal encrypton scheme s not secure under IND-CCA. (11p) In the IND-CCA securty game, the adversary s gven the publc key of the scheme, 3

4 and he can ask for (at most q poly(λ)) decryptons of messages of hs choce to the challenger. After that, the adversary chooses two messages m 0, m 1 (of the same length) and sends them to the challenger. The challenger selects a random bt b R {0, 1} and returns to the attacker the cphertext c Enc(pk, m b ). The adversary then can go through another query pahse, where anyhow he s not allowed to submt the challenge cphertext c. The adversary wns the game f he can determne wth non-neglgble probablty f c s an encrypton of m 0 or of m 1 (.e., guess the bt b chosen by the Challenger). (4p) In what follows, we show a possble strategy for the attacker to wn the game (there are several varants of ths attack that are vald). The attacker can skp the frst query phase, and choose two random messages m 0, m 1 G such that m 0 m 1, and send them to the Challenger. Let c denote the receved challenge cphertext. Durng the second query phase the Adversary can submt a modfcaton of the challenge cphertext, e.g., c = (c 1, d c 2 ), where d 1 s an (of course nvertble) element n G. The plantext m returned by the Challenger wll then be m = d (c 2 c x 1 ) = d m b. Therefore the attacker can output the guess b = 0 for b n case d 1 m = m 0, and b = 1 otherwse. (5p) Followng the above strategy, we can show that the adversary has a non-neglgble advantage n the IND-CCA game. Let W denote the probablty of the event ẗhe Challenger selects b = (.e., c s an encrypton of m, {0, 1}), and the adversary outputs as a guess b = 0. Then, Adv IND CCA [A, ElGamal] = W 0 W 1 = 1 0 = 1, whch s ndeed non-neglgbly larger than Consder the cyclc group Z 37. If you explan n detals the functons / theorems / theory nvolved n ths exercse you can gan a maxmum of (3 bonus ponts) (a) How many elements are n Z 37,.e., what s the order of the group? The order of Z 37 s ϕ(37), where ϕ denotes Euler s Ph (totent) functon. (1p) Snce 37 s a prme number, we have ϕ(37) = 37 1 = 36. (1p) (b) Is Z 37 a cyclc group? How many generators does t have? (4p) Yes, Z 36 s a cyclc group because 37 s a prme number. (1p) The number of generators corresponds to the number of coprme numbers between 1 and 36, that s Z 36 has ϕ(ϕ(37)) generators (1p), more explctly ϕ(36) = ϕ( ) = (2 1) (3 1) = 12 generators. (c) Is 4 a generator of Z 37? Prove t. (7p) An element g Z 37 s a generator of the group f g36 = 1 n Z 37 and g 1 for all {1, 2,..., 35}. Therefore, n order to check f 4 s a generator we need to see f 4 1 n Z 37 for all {1, 2,..., 35}. By Lagrange theorem we know that the order of an element always dvdes the order of the group. Snce Z 37 has order 36 = we only need to check the powers 1, 2, 3, 4, 6, 9, 12, 18 (proper dvsors of 36). 4 1 = 4 1 mod 37, 4 2 = 16 ±1 mod 37 (thus 4 does not have order 2 or 4), 4 3 = 10 ±1 mod 37 (thus 4 does not have order 3 or 6). 4 9 = (4 3 ) 3 = = 1 mod 37 from whch we can derve that 4 has order 2 9 = 18 (4p) and thus 4 s not a generator of Z 37. (1p) 4

5 Data Integrty (20p) 7. Descrbe the RSA dgtal sgnature scheme. (10p) (Hnt: wrte down nput, output and behavour of the algorthms). The RSA dgtal sgnature scheme s made by the three algorthm (KeyGen, Sgn, Verfy), defned as follows. KeyGen(λ) (pk, sk), s the key generaton algorthm. Gven λ, the securty parameter of the scheme, the algorthm does: 1. Generate two, dstnct λ-bt prmes p, q; (1p) and compute N = pq and ϕ(n), where ϕ( ) denotes Euler Totent functon. (1p) 2. Choose a random nteger e R Z ϕ(n) satsfyng GCD(e, ϕ(n))=1.(1p) Compute d = e 1 mod ϕ(n). (1p) 3. Set pk = (N, e) and sk = d. (1p)(note: the role of e and d s nterchangeable, as long as Sgn takes as nput the secret value, and Verfy the publc one). Sgn(sk, m) σ, s the sgnng algorthm. It takes as nput the secret key d and a message m Z ϕ(n) and outputs the sgnature σ = m d mod N. Verfy(pk, m, σ) {0, 1} s the verfcaton algorthm. It takes as nput the publc key e, a message m and a sgnature σ; t outputs 1 f the sgnature s correct (verfes) and 0 otherwse. (1p) More formally, the verfcaton algorthm checks whether σ e = m mod N. If the equalty holds Verfy returns 1, otherwse t returns Let N > 2 be a postve nteger. Consder the functon h : Z Z N, defned as h(m) = m mod N. To check f h s a cryptographc hash functon we need to assure that h satsfes (at least) the followng three propertes: (2a) Gven a message m, the message dgest y = h(m) can be computed n an effcent way. (2b) Gven a message dgest y, t s computatonally nfeasble to fnd an m wth h(m) = y (n other words, h s a one-way, or pre-mage resstant functon). (2c) It s computatonally nfeasble to fnd two dnstnt messages m 1, m 2 Z such that h(m 1 ) = h(m 2 ) (n ths case, the functon h s sad to be collson-free). Check f h s a cryptographc hash functon,.e., for each of the propertes ((8a), (8b) and (8c)) show f h satsfes t or not. (10p) Computng the remander modulus N of a number m Z can be done n an effcent way usng, e.g., the Eucldean Algorthm. Therefore h satsfes property (8a). (1p) Property (8b) s obvously not satsfed, (1p) snce m = y tself s a possble premage of the dgest y. More formally, for every y {0, 1,..., N 1} Z t holds that h(y) = y mod N = y. (1p) From the observaton above, t s mmedate to see that h s not collson-resstant. (1p) Indeed, for any message m 1 Z we have that m 2 = m 1 + N Z has the same dgest: h(m 1 ) = m 1 mod N = m 1 + N mod N = h(m 2 ). Actually, all the messages of the form m 1 + kn have the same dgest (the remander modulus N). Advanced Topcs n Cryptography (30p) 9. Descrbe n your own words (or gve the defnton of): (a) Uncondtonal and provable securty. Also, gve at least one example of a cryptosystem n each category. (6p) 5

6 Uncondtonal securty: The cryptosystem cannot be broken even by an adversary wth unlmted computatonal power. Examples of uncondtonally secure crypto systems are: Shamr s and Mgnotte s Secret Sharng Scheme., the OTP. (1p) Provable securty: It s possble to prove that an attack that breaks the cryptosystem, can be used to solve some well-known problem wdely beleved to be (computatonally) hard. Examples of provably secure cryptosystems are: ElGamal (reduced to the Dscrete-Log assumpton), RSA (reduced to the Dscrete-Log assumpton and the factorng assumpton). (1p) (b) The three man propertes of the Fat-Shamr dentfcaton protocol (Completeness, Soundness and Zero-Knowledge). (8p) Completeness: An (nteractve) dentfcaton protocol s complete f an honest prover P succeeds n convncng a honest verfer V that a true statement s true. Soundness: An (nteractve) dentfcaton protocol s sound f no dshonest prover P succeeds n convncng an honest verfer V that a false statement s true. Zero-Knowledge: An honest prover P can convnce the verfer V of the valdty of a statement wthout revealng any nformaton beyond the truth of the statement. In other words, an honest-but-curous verfer s not able to extract any useful nformaton (e.g. the secret key) from the prover whle, at the same tme, the verfer wll be convnced that the prover knows the secret. (4p) 10. Consder the Secure Multparty Computaton (SMPC) protocol for addton, based on the Shamr Secret Sharng Scheme, seen n class. Assume that there are n = 4 partes (P 1, P 2, P 3, P 4 ), that the system tolerates t = 3 corrupted partes, and that all computatons are done n Z 13. (a) Imagne you are P 1, and your secret nput to the computaton s a = 5. Explan how you would share your secret value a wth the other partes and what you expect to receve from each other party (note that no explct computaton s requred for ths step, just a formal descrpton of how the scheme works). (4p) In order to share the secret a Z 13 usng the Shamr Secret Sharng Scheme, the party P 1 needs to frst select a random polynomal f(x) Z 13 [x] satsfyng f(0) = a and 3 = t = deg(f). In other words, P 1 generates f(x) as f(x) = a + r 1 x + r 2 x 2 + r + 3x 3 R wth r 1, r 2, r 3 Z13. Then P 1 computes f on the ponts {1, 2, 3, 4} and gves to party P the share a = f(). (1p) Each party follows the same procedure, thus P 1 receves the shares of each party s secret nput computed n = 1, namely b 1, c 1 and d 1. (1p) (b) Now, magne you are P 1 and hold the table below (whch corresponds to your vew of the protocol). Compute the value S = a+b+c+d usng the nformaton contaned n the table. (12p) P 1 P 2 P 3 P 4 a = 5 a 1 = 5 a 2 = 12 a 3 = 7 a 4 = 10 b =? b 1 = 4??? c =? c 1 = 12??? d =? d 1 = 9??? S s 1 = 4 s 2 = 6 s 3 = 1 s 4 = 7 6

7 Party P 1 can compute the sum S by usng Lagrange nterpolaton on the partal sums s 1, s 2, s 3 and s 4 n the formula S = 4 =1 s 1 (0), where (0) denote the Lagrange nterpolaton polynomals (evaluated at 0) (4p) and defned as: (0) = j {1,2,3,4} {} j(j ) 1 (here k 1 denotes the nverse of k modulus 13). (1p) 1 (0) = 2(2 1) 1 3(3 1) 1 4(4 1) 1 = 4 mod 13 2 (0) = 1(1 2) 1 3(3 2) 1 4(4 2) 1 = 7 mod 13 3 (0) = 1(1 3) 1 2(2 3) 1 4(4 3) 1 = 4 mod 13 4 (0) = 1(1 4) 1 2(2 4) 1 3(3 4) 1 = 12 mod 13 For each δ : (1p) for correct computaton, (0.5p) for usng EEA / Bézout dentty to fnd the nverses n Z 13. Total (6p). Substtutng the numbers n the Largange nterpolaton formula, one gets: = 3 mod 13. Thus S = 3. (1p). (c) Bonus queston: Lookng at the table n pont (10b), are you able to determne what was the polynomal f chosen by P 1 to share a? Why? Compute the polynomal f, f possble. (4 bonus ponts) Yes, t s possble to retreve the polynomal f chosen by P 1, because table (10b) contans n = 4 ponts on whch the degree t = 3 polynomal (chosen by P 1 to share the secret nput a) s evaluated, and there exsts only one degree t polynomal passng on t + 1 = 4 ponts (1p). It s possble to compute f(x) Z 13 [x] usng the Lagrange nterpolaton on the ponts f(1) = a 1 = 5, f(2) = a 2 = 12 1 mod 13, f(3) = a 3 = 7, f(4) = a 4 = 10, as follows: f(x) = 4 =1 f() (x) mod 13 where (x) = j {1,2,3,4} {} (x j)( j) 1 (1p). By substtutng the numbers n the above expressons we get: 1 (x) = x x x = 2( x 3 + ( 4 3 2)x 2 + ( )x + 2 ) = 2x 3 + 8x mod 13 (0.5p) 2 (x) = 7x 3 + 9x 2 + 3x + 7 mod 13 (0.5p) 3 (x) = 6x 3 3x 2 + 6x + 4 mod 13 (0.5p) 4 (x) = 2x 3 x 2 + 4x 1 mod 13 (0.5p) Thus, f(x) = x 3 + x