Cryptography and Security Midterm Exam

Similar documents
Cryptography and Security Final Exam

Cryptography and Security Midterm Exam

Cryptography and Security Final Exam

Cryptography and Security Final Exam

Public-Key Cryptosystems CHAPTER 4

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Introduction to Cybersecurity Cryptography (Part 4)

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

Introduction to Cybersecurity Cryptography (Part 4)

Lecture 11: Key Agreement

Question: Total Points: Score:

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Math/Mthe 418/818. Review Questions

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Public Key Encryption

Lecture 22: RSA Encryption. RSA Encryption

Exercise Sheet Cryptography 1, 2011

Univ.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Security Protocols and Application Final Exam

CPSC 467b: Cryptography and Computer Security

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

1 Number Theory Basics

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Notes for Lecture 17

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Candidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.

14 Diffie-Hellman Key Agreement

Lecture Notes, Week 6

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Practice Assignment 2 Discussion 24/02/ /02/2018

Cryptography. P. Danziger. Transmit...Bob...

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Solution to Midterm Examination

5199/IOC5063 Theory of Cryptology, 2014 Fall

5.4 ElGamal - definition

Perfectly-Secret Encryption

University of Tokyo: Advanced Algorithms Summer Lecture 6 27 May. Let s keep in mind definitions from the previous lecture:

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:

Introduction to Cryptography. Lecture 8

MATH 158 FINAL EXAM 20 DECEMBER 2016

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Public Key Cryptography

ECS 189A Final Cryptography Spring 2011

Cryptography IV: Asymmetric Ciphers

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

Written examination. Tuesday, August 18, 2015, 08:30 a.m.

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

COMP4109 : Applied Cryptography

El Gamal A DDH based encryption scheme. Table of contents

Mathematics of Cryptography

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

ASYMMETRIC ENCRYPTION

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Lecture 1: Introduction to Public key cryptography

Public Key Cryptography

Lecture 28: Public-key Cryptography. Public-key Cryptography

Introduction to Cybersecurity Cryptography (Part 5)

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

10 Modular Arithmetic and Cryptography

CPSC 467: Cryptography and Computer Security

Public-Key Encryption: ElGamal, RSA, Rabin

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

RSA RSA public key cryptosystem

Introduction to Elliptic Curve Cryptography. Anupam Datta

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

RSA. Ramki Thurimella

Discrete Logarithm Problem

Computer Science A Cryptography and Data Security. Claude Crépeau

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

You submitted this homework on Wed 31 Jul :50 PM PDT (UTC -0700). You got a score of out of You can attempt again in 10 minutes.

Ex1 Ex2 Ex3 Ex4 Ex5 Ex6

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

An Introduction to Probabilistic Encryption

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Security II: Cryptography exercises

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Lectures 2+3: Provable Security

Lecture 7: ElGamal and Discrete Logarithms

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

Introduction to Modern Cryptography. Benny Chor

Cryptography: Joining the RSA Cryptosystem

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

RSA ENCRYPTION USING THREE MERSENNE PRIMES

Public Key Cryptography

Chapter 8 Public-key Cryptography and Digital Signatures

Transcription:

Cryptography and Security Midterm Exam Serge Vaudenay 23.11.2017 duration: 1h45 no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not allowed the exam invigilators will not answer any technical question during the exam readability and style of writing will be part of the grade answers should not be written with a pencil

1 RSA over Z p α q β We consider a variant of RSA in which the modulus is selected of form n = p α q β and two different large prime numbers p and q. As usual, the public key is a pair (n, e) and the secret key is a pair (n, d). We assume that α and β are two constants in this cryptosystem. Q.1 Explain the encryption algorithm Enc, the decryption algorithm Dec, and the key generation algorithm Gen. What relation must exist between the public key and the secret key? Q.2 Prove that for all x Z n we have Dec n,d (Enc n,e (x)) = x but that there exist some (rare) x Z n such that Dec n,d (Enc n,e (x)) x when e > 1.

Q.3 If either α = 0 or β = 0, prove that this cryptosystem is insecure. Describe an attack and show it has a low complexity. Q.4 If x 2 y 2 (mod n), x y (mod n), and x y (mod n), formally prove that gcd(x y, n) is a nontrivial factor of n.

Q.5 Explain that the ability to compute square roots in Z n allows to factor n efficiently. (Note that we must find p and q, not only a non-trivial factor.) Q.6 Further prove that the knowledge of any multiple of λ(n) allows to factor n efficiently.

2 A New Meet-in-the-Middle Let x C k (x) be a block cipher encryption using a key k and y Ck 1 (y) be the corresponding block cipher decryption. We assume that k, x, and y live in the space {0, 1} l, for a given integer l. The key k is uniformly distributed. In this exercise, we define new block ciphers using longer keys. We do analysis in a known plaintext attack setting: we assume the adversary gets m pairs (x i, y i ) consisting of a random x i and its encryption y i. The purpose is to do a key recovery with probability of success close to 1. We say that the attack succeeds if it stops with the correct secret key (and only the correct one) as output. In this exercise, we will look for attacks with a variable m and study how to select m for a high success probability in the last question. Q.1 For the block cipher x C k (x), describe the best possible known plaintext attack and its complexity. Describe the attack with a pseudocode. Note: in all questions of the exercise, the complexity is the average time complexity. It is given in terms of number of C or C 1 evaluations to make, or equivalent computation.

Q.2 We define C k 1,k 2 (x) = C k2 (C k1 (x)). Find two functions f and g such that k 1, k 2, x f(k 1, x) = g(k 2, C k 1,k 2 (x)) Pr a,b,k1,k 2,x[f(a, x) = g(b, C k 1,k 2 (x))] = 2 l prove these properties, and describe the best possible known plaintext attack and its complexity. Describe the attack with a pseudocode.

Q.3 We let designate a group operation in {0, 1} l. We define C k 1,k 2,k 3 (x) = C k3 (k 2 C k1 (x)). Find two functions f and g such that k 1, k 2, k 3, x, x f(k 1, x, x ) = g(k 3, C k 1,k 2,k 3 (x), C k 1,k 2,k 3 (x )) Pr a,b,k1,k 2,k 3,x,x [f(a, x, x ) = g(b, C k 1,k 2,k 3 (x), C k 1,k 2,k 3 (x ))] = 2 l and show the first property. Describe the best possible known plaintext attack and its complexity. Describe the attack with a pseudocode.

Q.4 Assume a construction x Enc k1,...,k n (x) like the ones in this exercise, i.e. based on the block cipher x C k (x) and using n keys k 1,..., k n {0, 1} l. Given m pairs (x i, y i ), estimate the probability that there exists no tuple (k 1,..., k n) different from (k 1,..., k n ) such that for all i, we have Enc k 1,...,k n (x i) = y i. Explain how to select a minimal m so that this probability is high (i.e. very close to 1). NOTE: We consider reasonable constructions Enc k1,...,k n (x). I.e., there may be weird counterexamples for which the results of this question are different.

3 A Variant of Diffie-Hellman in Z n In this exercise, we want to adapt the Diffie-Hellman protocol in the group Z n for n = pq where p and q are two different odd prime numbers which are not known by anyone. We consider the following protocol: Alice Bob pick g Z n at random pick x {1,..., B} at random X g x g,x mod n Y pick y {1,..., B} at random Y g y mod n K Y x mod n K X y mod n where B is an integer which is at least n 2. We will see that using this protocol is not a good idea. Q.1 What is missing in the above variant of the Diffie-Hellman protocol? (Compare to what was explained in class.) Q.2 Prove that Z n is not cyclic. Then, explain why the protocol added g in the communication. HINT: Show that Z n is isomorphic to Z p 1 Z q 1 and find elements of order two. HINT 2 : It is not necessary to follow the previous hint.

Q.3 Explain why can t we pick x, y Z m where m is the order of g? Instead, we pick x, y {1,..., B} uniformly, where B is an integer such that B n 2. Let m be an integer such that m < n. Prove that for any fixed value X, Pr[x = X] Pr[y mod m = X] 1 B where x is uniformly distributed in Z m and y is uniformly distributed in {1,..., B}. Q.4 Prove that there is a polynomial-time algorithm D such that Pr[D(g, g x, g y, g xy ) = 1] Pr[D(g, g x, g y, g z ) = 1] 1 4 where g Z n is uniform and x, y, z Z m are uniform, with m equal to the order of g in Z n. HINT: use the Jacobi symbol ( /n) and reconstruct a distinguisher like the one seen in class. Consider the cases (g/n) = +1 and (g/n) = 1.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback