TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Similar documents
TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

1 Number Theory Basics

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Lecture 28: Public-key Cryptography. Public-key Cryptography

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Univ.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.

Introduction to Cryptology. Lecture 20

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

10 Concrete candidates for public key crypto

Cryptography and Security Final Exam

Lecture 1: Introduction to Public key cryptography

MATH 158 FINAL EXAM 20 DECEMBER 2016

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

II. Digital signatures

Question: Total Points: Score:

Lecture 17: Constructions of Public-Key Encryption

Introduction to Cryptography. Lecture 8

Introduction to Cybersecurity Cryptography (Part 4)

Introduction to Cybersecurity Cryptography (Part 4)

Ex1 Ex2 Ex3 Ex4 Ex5 Ex6

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

ECS 189A Final Cryptography Spring 2011

El Gamal A DDH based encryption scheme. Table of contents

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Introduction to Modern Cryptography. Benny Chor

5.4 ElGamal - definition

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Digital Signatures. Adam O Neill based on

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Cryptography and Security Midterm Exam

Discrete Logarithm Problem

basics of security/cryptography

Solution to Midterm Examination

Cryptography IV: Asymmetric Ciphers

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Exam Security January 19, :30 11:30

Katz, Lindell Introduction to Modern Cryptrography

Public-Key Cryptosystems CHAPTER 4

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

Public Key Cryptography

Lecture Note 3 Date:

Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP

5199/IOC5063 Theory of Cryptology, 2014 Fall

Lecture 7: ElGamal and Discrete Logarithms

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

ASYMMETRIC ENCRYPTION

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Practice Assignment 2 Discussion 24/02/ /02/2018

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

Lecture Notes, Week 6

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Introduction to Elliptic Curve Cryptography

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

Discrete Logarithm Problem

Public Key Cryptography

CS 355: Topics in Cryptography Spring Problem Set 5.

Foundations of Network and Computer Security

Digital Signatures. p1.

University of Regina Department of Mathematics & Statistics Final Examination (April 21, 2009)

Block Ciphers/Pseudorandom Permutations

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Lecture 22: RSA Encryption. RSA Encryption

9 Knapsack Cryptography

Notes for Lecture 17

Math 223, Spring 2009 Final Exam Solutions

CPA-Security. Definition: A private-key encryption scheme

Topics in Cryptography. Lecture 5: Basic Number Theory

Introduction to Modern Cryptography. Benny Chor

2 Message authentication codes (MACs)

Public-Key Encryption: ElGamal, RSA, Rabin

Points of High Order on Elliptic Curves ECDSA

Candidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.

Solutions to homework 2

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

10 Public Key Cryptography : RSA

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

Public Key Encryption

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

Lecture 5, CPA Secure Encryption from PRFs

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

Lecture 30: Hybrid Encryption and Prime Number Generation. Hybrid Encryption & Primes

Introduction to Cryptology. Lecture 3

Chapter 8 Public-key Cryptography and Digital Signatures

CIS 551 / TCOM 401 Computer and Network Security

CRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 2

Transcription:

Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam. This exam consists of five exercises. You have from 13:30 16:30 to solve them. You can reach 100 points. Make sure to justify your answers in detail and to give clear arguments. Document all your steps. In particular for algorithms do include all relevant parts of the internal state of the algorithm (at least the information given in the examples that were done during the lecture); it is not sufficient to state the correct result without the explanation. If the exercise asks for the usage of a particular algorithm other solutions will not be accepted even if they give the correct result. All answers must be submitted on TU/e letterhead; should you require more sheets ask the proctor. State your name on every sheet. Do not write in red or with a pencil. Text written with one of the two will be ignored. You are allowed to use any books and notes, e.g. your homework. You are not allowed to use the textbooks of your colleagues. You are allowed to use a calculator without networking abilities. Usage of cell phones or laptops (other than the ones brought be the TAs) is forbidden.

1. Warm-up: Diffie-Hellman (3 points total). This exercise is about the Diffie-Hellman key exchange. The system uses the multiplicative group IF p modulo the prime p = 24097. The element g = 5 IF 24097 has order 24096 and is thus a generator of the full multiplicative group. (a) Alice chooses a = 192 as her secret key. Compute Alice s public key. 1 point (b) Alice receives h b = g b = 8964 from Bob as his Diffie-Hellman keyshare. Compute the key shared between Alice and Bob, using Alice s secret key a from the first part of this exercise. 2 points 2. Discrete logarithms (27 points total). This exercise is about computing discrete logarithms in the multiplicative group of IF p for p = 24097. The element g = 5 has order q = 24096. The factorization of q is q = 24096 = 2 5 3 251. Use the Pohlig-Hellman attack to compute the discrete logarithm b of Bob s key h b = g b = 8964. I.e., you should break down the computation into discrete logarithms in subgroups of the smallest order possible. So you will have to eventually compute discrete logarithms in subgroups of order 2, 3 and 251. To solve the discrete logarithm in the subgroup of order 251 use the baby-step, giant-step algorithm. Verify your intermediate and your final solutions! 27 points 1

3. RSA Encryption (30 points total). This exercise is about RSA encryption. (a) Generate an RSA key pair. For this, you are given three digit random numbers x 1,..., x 4 below for which you have to check primality until you found two prime numbers. (Hint: Use the x i according to the order of the indices.) For primality testing use the Miller-Rabin primality test. As a-values in Miller-Rabin use the a 1,..., a 6 given below (do only use each a i once, i.e., if you already used a 1 in the primality test for x 1 do not use it in the primality test for x 2 and so on). For this exercise it is sufficient to achieve a probability of 0.875 that a number is prime. i 1 2 3 4 x i 671 673 677 679 i 1 2 3 4 5 6 7 a i 61 151 13 481 101 17 222 i. How many iterations of Miller-Rabin are necessary to achieve a probability of 0.875 that a number is prime? 1 point ii. Output p, q, as well as public key (N, e) and secret key (N, d) using public exponent e = 2 16 + 1. 9 points (b) Bob uses public key (N, e) = (128 417, 17). Encrypt the message 77 for Bob using schoolbook RSA in combination with square & multiply. 3 points (c) Bob just received some interesting message but you only saw the ciphertext: c = 114 472. So, lets break Bob s key. Factor Bob s N = 128 417 using Pollard s roh method with iteration function x i+1 = x 2 i + 1 and Floyd s cycle finding algorithm. Start with x 0 = 7. Do not do the gcd over 100 pairs, but do it for each pair x i, x 2i. 9 points (d) Because this was so much fun, factor Bob s N once more, this time using Pollard s (p 1) method. Use as exponent s = lcm{1, 2, 3, 4, 5, 6, 7} and as basis a = 17. 5 points (e) Now decrypt c = 114 472 using Bob s secret key. Provide Bob s secret key (N, d), and the decrypted message. 3 points 2

4. Reductionist proofs (20 points total). This exercise is about reductionist proofs. Let Sig = (Gen, Sign, Vrfy) be a digital signature scheme that uses a secret key sk {0, 1} ln consisting of ln random bits where n is the security parameter. Furthermore assume that Sig has the special property that there exists a key derivation algorithm DKey which given a secret key sk {0, 1} ln outputs a matching public key pk for Sig. We can construct a signature scheme Sig from Sig that works essentially as Sig with the only difference that it has secret keys sk {0, 1} n consisting of just n random bits (instead of ln bits). For this we make use of a pseudorandom generator G : {0, 1} n {0, 1} ln with expansion factor l. Key generation: The key generation algorithm Gen of Sig gets replaced by a new key generation algorithm Gen. The new key generation Gen first samples a random n bit secret key sk R {0, 1} n, then it runs pk DKey(G(sk )) to derive a public key by first expanding sk to ln bits and then applying DKey. (a) Write down the signature generation and the signature verification algorithms Sign, and Vrfy of Sig. 5 points (b) Now you have to show that the new scheme is secure. You are asked to show that if Sig is EU-CMA-secure and G is a secure pseudorandom generator, then Sig is also EU-CMA-secure. More specifically you are asked to show that if there is a nonnegligible difference in the success probability of an adversary A when it runs in the EU-CMA experiment against Sig or Sig this can be used to break the pseudorandomness of G. Recall, the success probability of a distinguisher D against the pseudorandomness of pseudorandom generator G is defined as ɛ prg (n) = Pr[D(x) = 1 r R {0, 1} n, x G(r)] Pr[D(x) = 1 x R {0, 1} ln ]. We call G a secure pseudorandom generator when ɛ prg (n) is a negligible function in n for all polynomial-time distinguishers D. The EU-CMA security of a signature scheme is defined using the following experiment: 3

Experiment Exp EU CMA A,Sig (n) i. (pk, sk) Gen(1 n ) ii. (m, σ) A Sign sk ( ) (pk). Let {m i } q 1 denote A s queries to Sign sk iii. If (Vrfy pk (m, σ) := 1, and m {m i } q 1 ) return 1 iv. Else return 0. The success probability of an adversary A in winning the above game is defined as ɛ eu cma (n) = Pr[Exp EU CMA A,Sig (n) = 1]. We say that Sig is EU-CMA-secure if ɛ eu cma (n) is a negligible function in n for all polynomial-time adversaries A. 15 points 4

5. Perfect secrecy (20 points total). Let q ZZ, q > 1 be prime. Consider the following secret key encryption scheme E over message space M = {1,..., q 1}: Gen() : Outputs (k 1, k 2 ), a pair of random numbers, as secret key where k 1 R {1,..., q 1} and k 2 R {0,..., q 1}. Enc k (m) : Returns c = k 1 m + k 2 mod q. Dec k (c) : Returns m = (c k 2 )k 1 1 mod q. Prove that E is a perfectly secret encryption scheme. 20 points 5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback