Cryptography Assignment 3

Transcription

1 Crytograhy Assignment Michael Orlov Yanik Gleyzer Aril 9, 00 Abstract Solution for Assignment. The terms in this assignment are used as defined in [1]. In some of the questions, stricter bounds than requested are roven. 1 Question 1 In this question we show that using e = in RSA crytosystem is roblematic. The crytosystem we consider is given by N = q for rime,q, where log N = n 1, and < q < N. The ublic key is N, and the rivate key is N, d, where d Z ϕn) and d 1 mod ϕn)). We also assume that n > 6. We immediately note several facts. First, since q < N, = N q > N N. Therefore, N = 1 N < < q < N 1.1) Second, since n > 6, it follows that N 64 > 6, and by 1.1),, q > 1.) Finally, by 1.), < ϕn) = 1)q 1), and from d 1 mod ϕn)) it follows that Z ϕn) and gcd, ϕn)) = 1 A N : d = AϕN) ) A Lemma A. Proof. By 1.), A = d 1 ϕn) 1.4)

2 1. A 1 1 QUESTION 1 Since d Z ϕn), we have 1 d ϕn) 1 d ϕn) d 1 ϕn) 4 0 < 4 A < by 1.4) ϕn) ϕn) 1 A A N) 1. A 1 Lemma 1.. A 1. Proof. Assume by contradiction that A = 1. Then, by 1.), d = ϕn) + 1 = 1)q 1) + 1 Also by 1.) and 1.),, q, 1, q 1 0 mod ) since and q are rime, and 1 and q 1 can t have common factors with non-trivial factors of. Moreover, 1, q 1 +, q mod ) and therefore, since 1 and q 1 have to belong to some equivalence class modulo, 1, q 1 1 mod ) Consequently, we have d mod = 1)q 1) + 1 ) mod ) ) ) = 1) mod q 1) mod + 1 mod = mod = This is clearly a contradiction to d 0 mod ). 1. Comuting d given ϕn) By 1.), we have d = AϕN) + 1 By Lemma 1.1 and Lemma 1., it follows that A =, therefore d is given by d = ϕn) ) Clearly, 1.5) can be comuted in time On) shift-left oeration, addition of constant and division by constant oerations, each of which has time comlexity logarithmic in N). Page of 10 M. Orlov, Y. Gleyzer

3 QUESTION 1.4 Bounds on ϕn) 1.4 Bounds on ϕn) Lemma 1.. N 4 N < ϕn) < N N. Proof. Lower bound is given by ϕn) = 1)q 1) = q q + 1 > N q > N N N by 1.1) = N 4 N Uer bound is derived in similar way: ϕn) = N q 1) < N 1 1 N N by 1.1) = N N 1.5 Finding d close to d From Sec. 1. and by Lemma 1., Eve can efficiently comute bounds on d, knowing only N: d l = N 4 N) + 1 d u = N N) + 1 d l < d < d u We note that d u d l = N and by efficiently comuting d = d l + d u Eve can assure that d d < N = N 5 N + 1 = N 8 N + 1 = N N + 1 Question We consider odd rimes and q, with = q + 1. M. Orlov, Y. Gleyzer Page of 10

4 .1 Primitive elements in Z QUESTION.1 Primitive elements in Z Lemma.1. Let a Z, and a ±1 mod ). Then, exactly one of {a, a mod )} is a rimitive element modulo, and the other is a quadratic residue modulo and not a rimitive element modulo ). Proof. Let a Z, and a ±1 mod ). We note that ) ) a a a 1 1 a) mod ) by Theorem 5.10, [1] 1) q a ) 1 mod ) a 1 ) mod ) q is odd 1 mod ) by Euler s Theorem Since a Z, it follows that a 0 mod ), and therefore ) ) a a, {1, 1} Consequently, ) a = 1 ) a = 1 or ) a = 1 ) a = 1 The rime divisors of 1 are and q. For x {a, a}, x 1 q = a 1 mod ) since roots of 1 modulo are ±1 mod ), and x ±1 mod ). Additionally, x 1 ) x mod ) which is not congruent to 1 mod ) for one of {a, a}, and is congruent to 1 mod ) for the other. Therefore, by Theorem 5.8, [1], exactly one of {a, a} is a rimitive element modulo, and the other is a quadratic residue modulo by Euler s Criterion.. Algorithm for finding a rimitive element A straightforward algorithm for finding a rimitive element modulo, based on Lemma.1, is shown in Alg. 1. Multilication of two numbers modulo n can be erformed in Olog n) time, and exonentiation in ower k modulo n can be done using Olog k) multilications. Thus, the time-comlexity of Alg. 1 is Olog ). 1 1 Tighter uer bounds can be achieved, for examle, by using FFTs or Karatsuba algorithm for multilication. Page 4 of 10 M. Orlov, Y. Gleyzer

5 QUESTION Algorithm 1 PRIMITIVE-ELEMENT) Require: and 1 are odd rimes Ensure: A rimitive element in Z is returned 1: if 1 1 mod ) then : return : else 4: return Question An ElGamal crytosystem is given by a rivate key, g, b and a ublic key, g, B, where is rime, g is a rimitive element modulo, b Z 1 and B g b mod ). Encrytion function for message M Z and random a Z 1 is given by em, a) = g a mod, B a M mod = A, C and decrytion is erformed using the tradoor b by d A, C ) = A b ) 1 C ) mod = M.1 Multilicativity of ElGamal Lemma.1. For messages M 1, M Z and a 1, a Z 1 for which the corresonding crytograms are it holds that em 1, a 1 ) = A 1, C 1 em, a ) = A, C e M 1 M mod, a 1 + a mod 1) ) = A 1 A mod, C 1 C mod Proof. The identity is easy to verify: e M 1 M mod, a 1 + a mod 1) ) = g a1+a mod 1) mod, B a1+a mod 1) M 1 M mod = g a1+a mod, B a1+a M 1 M mod by Euler s Theorem = g a1 g a mod, B a1 M 1 B a M mod = A 1 A mod, C 1 C mod. Chosen cihertext attack Lemma.1 can be used to mount a chosen cihertext attack against ElGamal crytosystem as follows. Suose Eve intercets a crytogram A, C, em, a) = A, C M. Orlov, Y. Gleyzer Page 5 of 10

6 4 QUESTION 4 for some message M Z and some a Z 1, and is allowed to ask for decrytion of any other crytogram. Noting that 1 Z, Z 1 for > and e1, 1) = g, B it is straightforward to aly Lemma.1 to see that e M, a + 1 mod 1) ) = ga mod, BC mod Moreover, since g is a rimitive element modulo, g 1 mod ), and therefore ga mod, BC mod A, C and Eve can ask for decrytion of this crytogram and recover the message: d ga mod, BC mod ) = M 4 Question 4 In this question we assume odd rime, with g Z which is a rimitive element modulo. 4.1 Criterion for quadratic residue Lemma 4.1. For a, b Z 1, K g ab mod ) is a quadratic residue modulo if and only if a is even or b is even. Proof. First, assume that a or b is even, then ab = i for some i N. Therefore, K g ab = g i = g i ) mod ) and K is a quadratic residue modulo with roots ±g i mod ). Conversely, assume that K is a quadratic residue modulo : y Z : y K g ab mod ) Since g is a rimitive element modulo, and thus! i Z 1 : y g i mod ) g i ) = g i g ab mod ) Again, since g is a rimitive element modulo, and by Euler s Theorem, i ab mod ϕ) = 1) which means that k Z : ab = k 1) + i Since is odd, 1 is even, as well as i, and therefore ab is even, from which it follows that one of {a, b} is even. Page 6 of 10 M. Orlov, Y. Gleyzer

7 4 QUESTION 4 4. Distribution of the key in Diffie-Hellman 4. Distribution of the key in Diffie-Hellman In Diffie-Hellman key exchange rotocol, a and b are chosen from Z 1 using uniform distribution, and we can comute the robability PQR K that the chosen key K = g ab mod is a quadratic residue using Lemma 4.1: ) 1 PQR K = 1 Pr[a is odd] Pr[b is odd] = 1 = 4 On the other hand, in uniform distribution on Z the robability P U QR that a chosen element in Z is a quadratic residue is given by P U QR = QRZ ) 1 If we consider a common case in Diffie-Hellman key exchange rotocol, where = q + 1 for odd rimes, q, by Lemma.1 there are quadratic residues modulo, which are not congruent to ±1 mod ). Alying Euler s Criterion to ±1 mod ) we see that 1 is not a quadratic residue modulo because q is odd). Thus, in this case, P U QR = = 1 4 = P QR K Therefore, in general, the key that is generated in Diffie-Hellman key exchange rotocol is not distributed uniformly over Z. 4. Determining whether K is a quadratic residue Lemma 4.. Consider a, b Z 1, and A g a mod ) B g b mod ) K g ab mod ) Then, K is a quadratic residue modulo if and only if one of {A, B} is a quadratic residue modulo. Proof. Assume that K is a quadratic residue modulo. By Lemma 4.1, a or b is even. Without loss of generality, assume that a is even, a = i, in which case A g a = g i = g i ) mod ) and A is a quadratic residue modulo with roots ±g i mod ). Conversely, assume without loss of generality that A is a quadratic residue modulo. By Euler s Criterion, 1 A 1 g a 1 mod ) Since g is a rimitive element modulo, it follows that 1) a 1 and therefore a N in other words, a is even. Thus, by Lemma 4.1, K is a quadratic residue modulo. M. Orlov, Y. Gleyzer Page 7 of 10

8 4.4 Semantic security of ElGamal 4 QUESTION 4 Thus Eve, who interceted A and B during Diffie-Hellman key exchange, can efficiently comute ) A = A 1 mod ) B = B 1 mod and infer that K is a quadratic residue modulo if and only if ) ) A B = 1 = 1 Note that K is either a quadratic residue, or quadratic non-residue, since K Z : ) K {1, 1} and thus K ) can be efficiently comuted. 4.4 Semantic security of ElGamal Consider an ElGamal crytosystem with the rivate key, g, b and the ublic key, g, B, where B g b mod ). Suose that Eve, who knows the ublic key, g, B, intercets a crytogram A, C = g a, B a M for some M Z and a Z 1. Note that using the rocess described in Sec. 4., Eve can efficiently comute B a ), and she can also efficiently comute C ) using Euler s Criterion. The following lemma shows that the value of the Legendre symbol is a multilicative roerty. Lemma 4.. For rime and A, B Z, ) ) ) A B AB mod = Proof. A ) ) B = A 1 1 B mod = AB) 1 mod ) AB mod = Therefore, ) ) M B a 1 ) C = = B a ) ) C Page 8 of 10 M. Orlov, Y. Gleyzer

9 5 QUESTION 5 and Eve can efficiently check whether the encryted message is a quadratic residue modulo. ElGamal crytosystem is thus not semantically secure when both quadratic residue and quadratic non-residue modulo messages are allowed. 5 Question 5 Denote τ = {0, 1}. In this question we show that for m τ 64 and K τ 64, DESm, K) = DESm, K) 5.1) which can be generalized for similar Feistel-tye cihers. First, let us define σ k,l as the set of all functions σ : τ k τ l which select l bits in some order from a k-bit string, ossibly with reetitions. We note that k, l N, σ σ k,l : x τ k : σx) = σx) 5.) We also define π k as the set of all k-bit ermutation functions. Since π k σ k,k, as a rivate case of 5.) we see that k N, π π k : x τ k : πx) = πx) 5.) Finally, we note two roerties of the exclusive-or oeration: k N, x, y τ k : x y = x y k N, x, y τ k : x y = x y 5.4a) 5.4b) One round of DES encrytion g : τ τ τ 48 τ τ is given by L i, R i = g L i 1, R i 1, K i ) = R i 1, L i 1 fr i 1, K i ) 5.5) for 1 i 16, where the round key K i is given by K i = σ i K) 5.6) where K is the encrytion key, and σ i σ 64,48. The function f : τ τ 48 τ is given by fr, K) = π P S 1,...,8 σe R) K )) 5.7) where σ E σ,48 is the bit exansion function, π P π is a bit ermutation, and S 1,...,8 : τ 48 τ is the non-linear comonent of the crytosystem the eight S-boxes). Finally, the encrytion function DES : τ 64 τ 64 τ 64 is given by DESm, K) = π 1 IP π swag gπ IP m), K 1 )..., K 16 ))) 5.8) where π IP π 64 is the initial ermutation, and π swa π 64 is a ermutation that rotates the block by bits. 4 We have now established the notation to rove 5.1). We are not comletely loyal to the notations in [], in order to describe the encrytion rocess more clearly. We don t break round keys generation rocess into rimitive choice ermutations π PC-1 and π PC- and bit shift oerations, but each round key is clearly a choice ermutation of K. 4 We ignore trivial conversions between 64-bit block and two -bit blocks for clarity. M. Orlov, Y. Gleyzer Page 9 of 10

10 REFERENCES REFERENCES Lemma 5.1. For all m, K τ 64, DESm, K) = DESm, K) Proof. First, we show that the following holds for f: fr, K) = π P S 1,...,8 σe R) K )) by 5.7) = π P S 1,...,8 σe R) K )) by 5.) = π P S 1,...,8 σe R) K )) by 5.4a) 5.9) = fr, K) by 5.7) Consequently, in round 1 i 16, g L i 1, R i 1, K i ) = R i 1, L i 1 fr i 1, K i ) by 5.5) = R i 1, L i 1 fr i 1, K i ) by 5.9) = R i 1, L i 1 fr i 1, K i ) by 5.4b) 5.10) = g L i 1, R i 1, K i ) by 5.5) We also note that K) i = σ i K) by 5.6) = σ i K) by 5.) 5.11) = K i by 5.6) We can now finally see that DESm, K) = π 1 IP π swag gπ IP m), K) 1 )..., K) 16 ))) by 5.8) = π 1 IP π swag gπ IP m), K 1 )..., K 16 ))) by 5.11) = π 1 IP π swag gπ IP m), K 1 )..., K 16 ))) by 5.) = π 1 IP π swag gπ IP m), K 1 )..., K 16 ))) by 5.10). = π 1 IP π swag gπ IP m), K 1 )..., K 16 ))) by 5.10) = π 1 IP π swag gπ IP m), K 1 )..., K 16 ))) by 5.) = DESm, K) by 5.8) References [1] Douglas R. Stinson. Crytograhy: Theory and Practice. Discrete Mathematics and its Alications. CRC Press, second edition, 00. [] Data Encrytion Standard DES). U.S. Deartment of Commerce / National Institute of Standards and Technology, October Page 10 of 10 M. Orlov, Y. Gleyzer