Advanced Cryptography Midterm Exam

Transcription

1 Advanced Crytograhy Midterm Exam Solution Serge Vaudenay duration: 3h00 any document is allowed a ocket calculator is allowed communication devices are not allowed the exam invigilators will not answer any technical uestion during the exam the answers to each exercise must be rovided on searate sheets readability and style of writing will be art of the grade do not forget to ut your name on every sheet! 1 Circular RSA Encrytion Let n and d e 1 mod ϕn define an RSA key air. For some reason, we need to encryt with the lain RSA crytosystem. Q.1 If y decryts to, show that an adversary who has only the ublic key at disosal can decryt y. Hint: think modulo. If y e mod n, then y mod 0 and y mod is in Z since and are different rime numbers, is corime with so is invertible modulo, so y as well. Hence, gcdy,n so the adversary recovers easily. 2 The Goldwasser-Micali Crytosystem Consider the grou Z n. We recall that if m is an odd factor of n, then the Jacobi symbol x x m is a grou homomorhism from Z n to { 1,+1}. I.e., xy mod n m x y m m. It further has the roerty that x mm x x m m. We consider that multilication in Zn and the comutation of the above Jacobi symbol can each be done in Ologn 2. Let s be a security arameter. We consider the following ublic-key crytosystem. Key Generation. Generate two different odd rime numbers and of bit size s, comute n, and find some z Z n such that z z 1. The ublic key is n,z and the secret key is. Encrytion. To encryt a bit b {0,1}, ick r U Z n and comute c r 2 z b mod n. The cihertext is c. Decrytion. To decryt c, comute c and find b such that it euals 1 b. The laintext is b. This crytosystem is known as the Goldwasser-Micali crytosystem.

2 Q.1 Show that the crytosystem is correct. I.e., if the key generation gives n,z and, if b is any bit, if the encrytion of b with the key n,z roduces c, then the decrytion of c with the key roduces b. y construction, we have n, z 1, and c r 2 z b mod n. We have c r 2 z b since divides n. Thus, c So, the decrytion of c roduces b. r 2 z b z b 1 b Q.2 Analyze the comlexity of the three algorithms in terms of s. Key generation: to generate the rimes and of bit size s reuires Os 4 by using Miller- Rabin rimality testing, suare-and-multily exonentiation, and schoolbook multilication. The Legendre symbol reuires Os 2 which is negligible, as well as comuting n. So, key generation works in Os 4. Encrytion: this reuires a constant number of multilications which are Os 2. Decrytion: this reuires a Legendre symbol, so Os 2 as well. Q.3 Let N be the set of all n s which could be generated by the key generation algorithm. Let Fact be the roblem in which an instance is secified by n N and the solution is the factoring of n. Q.3a Define the key recovery roblem KR related to the crytosystem. For this, secify clearly what is its set of instances and what is the solution of a given instance. z 1 where In the KR roblem, an instance is a air n,z such that n N and z n is the factoring of n. The solution to the roblem is. Or, euivalently, which lays a symmetric role. Q.3b Show that the KR roblem is euivalent to the Fact roblem. Give the actual Turing reduction in both directions. Clearly, factoring n solves the roblem: by submitting n to an oracle solving Fact, we get and so we can yield. Conversely, with an oracle solving the KR roblem, we can define an algorithm to factor n. For this, we just need to find one z satisfying z solving KR. y construction, we have z z n z z 1 1 and feed n,z to the oracle If we ick a random z satisfying z n 1, we have z z but this can be 1 or 1. If this is 1 which haens with robability 1 2, feeding n,z to the KR oracle yield. We can check that solve the Fact roblem and sto. If it is +1, it is bad luck as we have a bad z and we don t know. Thus, feeding n,z to the KR oracle may give anything. However, if it gives something which solves the Fact oracle, we are hay anyway and we can sto. Otherwise, we can start again with a new z. Eventually, we find a good z and the solution to Fact. So, KR and Fact are euivalent. 2

3 Q.4 Let QR be the roblem in which an instance is secified by a air n,c in which n N and c n 1. The roblem is to decide whether or not c is a uadratic residue in Z n. Q.4a Define the decrytion roblem DP related to the crytosystem. For this, secify clearly what is its set of instances and what is the solution of a given instance. In the DP roblem, an instance is defined by a trilet n,z,c where n N let write n, z Z n is a non-uadratic residue with z n 1, and c r 2 z b mod n for some r Z n and a bit b. The roblem is to find b. Q.4b Show that the DP roblem is euivalent to the QR roblem. Give the actual Turing reduction in both directions. Clearly, with an oracle solving QR, we can solve DP: we just submit n,c to the QR oracle and obtain b. Indeed, r 2 z b mod n is a uadratic residue if and only if b 0. To show the converse, we assume an oracle O solving the DP roblem and construct an algorithm to solve the QR one. Given a QR instance n,c, we ick z Z n such that z n 1 and consider the function f z : y On,z,y. If z is a uadratic residue, we observe that for any b, r 2 z b mod n is uniformly distributed in the set of uadratic residues modulo n. So, this is indeendent from b. Thus, f z r 2 z b mod n is a random bit indeendent from b. If now z is a non-uadratic residue, f z r 2 z b mod n b. y taking b uniformly distributed, we can easily identify in which case we are. We can thus iterate until we have a good z which is a non-uadratic residue. Then, we can comute f z c and get the solution to the QR roblem. So, DP and QR are euivalent. 3 Faulty Multilier Let be a basis. Given some integers x 0,...,x n 1, we say that the seuence [x n 1,...,x 0 ] reresents x if n 1 x i0 We say that [x n 1,...,x 0 ] is a reduced seuence if 0 x i 1 for all i 0,...,n 1. We say that a number x contains a block a if there exists n and a reduced seuence [x n 1,...,x 0 ] reresenting x, and some i such that a x i. We consider the schoolbook algorithms for addition and multilication. These are the methods that children learn at school for 10 and reduced seuences. We extend them to any value. We work with a microrocessor using a built-in bit to 64-bit hardware multilication. Each bit to 64-bit multilication is called an elementary multilication. So, in the next we let We assume that there is a bug such that the result is always correct excet when the first oerand is a secial a 0 value and the second one is a secial b 0 value in which case the result is a constant c 0 which is not eual to a 0 b 0. Q.1 Let a,b,c,u,v be five 32-bit blocks. Let x be reresented by [a,b,c] and y be reresented by [u,v]. Using the schoolbook multilication algorithm in basis to multily x by y, give the list of elementary multilications which are reuired to comute xy. x i i The schoolbook algorithm makes u [a,b,c,0] + v [a,b,c]. So, it erforms av, bv, cv as in xv and also au, bu, cu as in xu. It obtains [au,bu,cu,0] + [av,bv,cv] [au,bu + av,cu + bv,cv]. It then erforms a reduction to obtain a reduced seuence reresenting xy. 3

4 Q.2 Let w b0 3 a 0 and y be reresented by [w,a 0 ]. Assume that b Deduce that y contains the block a 0 and that y 2 contains the block b 0. Hint: first show that b0 + 1 b 0 1 then show that b a 0 and deduce that b > y b 0 3. > w b0 3 a 0 Since [w,a 0 ] is a reduced seuence reresenting y, a 0 is trivially in y. We have b0 + 1 b 0 b b 0 If b 0 4 1, the denominator is uer bounded by. So, b0 + 1 b0 + 1 b 0 3 a 0 b0 3 a 0 1 Since w is the ceiling of b0 3 a 0, we obtain b a 0 > w b0 3 a 0 Now, y w + a 0. So, b 0 3 y 2 < b from which we deduce that y 2 starts with the 32-bit block b 0. Clearly, y ends with the 32-bit block a 0. It is unlikely that b 0 aears in y, nor that a 0 aears in y 2. In what follows, we assume that y does not contain the block b 0 and that y 2 does not contain the block a 0. Q.3 Assume we want to raise y to some ower k modulo n using the suare-and-multily with scanning of the bits of the exonent from left to right. The leading bit of the exonent k being 1, let b denote the second leading bit of k. Q.3a Give the list of all multilications this algorithm does when scanning these two bits in the two cases: i.e., for b 0 and b 1. When scanning the first bit, it multilies y by 1. The accumulator become eual to y. Then, it suares the accumulator and looks at the second bit. If it is 0, it does nothing more. Otherwise, it multilies the accumulator by y. So, for b 0, it comutes 1 y, y 2, and that s it. For b 1, it comutes 1 y, y 2, and y 2 y. Q.3b Show that for the y from Q.2, this algorithm is likely to comute y k mod n correctly when b 0 whereas it does a comutation error when b 1. In the b 1 case, it multilies y containing a 0 by y 2 containing b 0. Due to the schoolbook algorithm, this reuires the bogus a 0 b 0 elementary oeration so it makes an error. In the b 0 case, it never needs to multily y by y 2. So, it is unlikely that the bogus a 0 b 0 oeration occurs. 4

5 Q.4 We assume a tamer-roof device imlementing the RSA decrytion with CRT acceleration, suare-and-multily with scanning of the bits of the exonent from left to right, and the schoolbook multilication algorithm. Q.4a Assuming that the second leading bits of d mod 1 and d mod 1 are different, using the y of Q.2, give an algorithm roducing x such that x e mod n is eual to y modulo either or but not modulo both. The CRT exonentiation comutes y mod d mod 1 mod and y mod d mod 1 mod. Since y is small, y mod y mod y. So, it comutes y d mod 1 mod and y d mod 1 mod. If the second leading bits of d mod 1 and d mod 1 are different, one error will occur in exactly one of these oerations. So, after CRT reconstruction, the result x will be eual to y d modulo either or but not both. So, x e mod n will be eual to y modulo either or but not both. Q.4b Deduce a factoring attack on RSA using this device. After getting x, we comute gcdx e y mod n,n which is a non-trivial factor of n. 4 Tradoor Sbox Let n be an integer. We consider the set Z n 2 as a vector sace. Given a vector x, x k denotes its k-th comonent which is a bit. Additions are imlicitly takes modulo 2. Product of bits are also imlicitly taken modulo 2. The dot roduct α x between two vectors means n k1 α kx k. We also multily a bit by a vector by multilying the bit to each comonent. Let α,β,γ Z n 2. Let i and j be two fixed indices such that α i β j 1 and γ j 0. Let w be the total number of bits set to 1 in γ. Let A be the subset of Z n 2 of all tules in which the i-th comonent is zero. Let be the subset of Z n 2 of all tules in which the j-th comonent is zero. Let ϕ be a bijection from A to. Let be a function from Z n 2 to A defined by x k x k for all k i and x i 0. Let v 0,...,0,1,0,...,0 Z n 2 be a constant vector, where v j 1. We construct a function S on Z n 2 as follows. Sx ϕx + α x + β ϕx + ϕx k v Q.1 Show that S is a ermutation. Hint: show that Sx Sx imlies x x for any x and x and show that Sx+u Sx+v for a constant vector u and any x. Let be a function from Z n 2 to defined by v k v k for all k j and v j 0. Since is linear, since v 0, and since v v for v, we have Sx ϕx. So, Sx Sx imlies ϕx ϕx. Since ϕ is a bijection, this imlies x x. So, either x x, or x and x only differ by their i-th bit. Let u Z n 2 such that u i 1 and u is the null vector. Since x x + u, we have Sx + u Sx + v. So, x and x + u do not have the same S-image. Finally, Sx Sx imlies x x. That is, S is a ermutation. 5

6 Q.2 Comute LP S α,β. Hint: first give a simle exression of α x + β Sx. We have β Sx β ϕx + α x + β ϕx + ϕx k β v Since β j 1 and v j is the only comonent of v set to 1, we have β v 1. So, β Sx β ϕx + α x + β ϕx + ϕx k α x + ϕx k Thus, α x + β Sx ϕx k Since ϕx is uniformly distributed in when x is uniformly distributed in Z n 2, and since γ j 0, we have Pr[α x + β Sx] 2 w where w is the number of comonents of γ set to 1. Finally, we obtain LP S α,β w 2 Q.3 Deduce a way to construct an Sbox with a given high LP S α,β. We select i, j such that α i β j 1. Then, we ick γ such that γ j 0 and with many comonents set to 1 the more 1 s, the larger LP. Then, we ick a ermutation ϕ from A to. The roosed construction for S is a ermutation over Z n 2 which has a large LP Sα,β. 6