Cryptography and Security Midterm Exam

Similar documents
Cryptography and Security Midterm Exam

Cryptography and Security Final Exam

Cryptography and Security Final Exam

Univ.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.

Security Protocols and Application Final Exam

Cryptography and Security Final Exam

Exercise Sheet Cryptography 1, 2011

Discrete Mathematics and Probability Theory Summer 2014 James Cook Note 5

Attempt QUESTIONS 1 and 2, and THREE other questions. penalised if you attempt additional questions.

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

Discrete Mathematics and Probability Theory Fall 2018 Alistair Sinclair and Yun Song Note 6

Name: Mathematics 1C03

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Lecture 6: Introducing Complexity

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Solution to Midterm Examination

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

MODULAR ARITHMETIC KEITH CONRAD

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

2.2 Inverses and GCDs

Secret Sharing CPT, Version 3

Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Notes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I

Pseudorandom Generators

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Chapter 2 : Perfectly-Secret Encryption

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

CPSC 467b: Cryptography and Computer Security

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Security Level of Cryptography Integer Factoring Problem (Factoring N = p 2 q) December Summary 2

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

Cryptography: Joining the RSA Cryptosystem

Applied Cryptography and Computer Security CSE 664 Spring 2017

Solutions to the Midterm Test (March 5, 2011)

Computer Science A Cryptography and Data Security. Claude Crépeau

Notes on Zero Knowledge

Advanced Cryptography Midterm Exam

Integers and Division

NOTE: You have 2 hours, please plan your time. Problems are not ordered by difficulty.

Theoretical Cryptography, Lectures 18-20

Discrete Mathematics and Probability Theory Fall 2013 Vazirani Note 3

HOMEWORK 11 MATH 4753

In fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

CPSC 467b: Cryptography and Computer Security

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

Discrete Mathematics and Probability Theory Summer 2014 James Cook Midterm 1

Discrete Mathematics and Probability Theory Spring 2016 Rao and Walrand Discussion 6A Solution

Topics in Cryptography. Lecture 5: Basic Number Theory

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

Discrete Math in Computer Science Solutions to Practice Problems for Midterm 2

Cryptography Lecture 3. Pseudorandom generators LFSRs

Notes for Lecture 25

OWO Lecture: Modular Arithmetic with Algorithmic Applications

Candidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.

Midterm 2. Your Exam Room: Name of Person Sitting on Your Left: Name of Person Sitting on Your Right: Name of Person Sitting in Front of You:

10 Concrete candidates for public key crypto

Introduction to Elliptic Curve Cryptography. Anupam Datta

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Clock Arithmetic and Euclid s Algorithm

3.2 Solving linear congruences. v3

Lecture 2: Perfect Secrecy and its Limitations

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

The RSA cryptosystem and primality tests

Lecture Notes. Advanced Discrete Structures COT S

How fast can we add (or subtract) two numbers n and m?

Discrete Mathematics and Probability Theory Summer 2017 Course Notes Note 6

1 Number Theory Basics

Public Key Encryption

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Implementing Ring-LWE cryptosystems

Basic elements of number theory

Basic elements of number theory

THE RSA ENCRYPTION SCHEME

Introduction to Cybersecurity Cryptography (Part 5)

Lecture 1: Introduction to Public key cryptography

CPSC 467: Cryptography and Computer Security

This is a recursive algorithm. The procedure is guaranteed to terminate, since the second argument decreases each time.

COMP424 Computer Security

1 Cryptographic hash functions

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Introduction to Cybersecurity Cryptography (Part 4)

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Mathematical Foundations of Cryptography

Discrete Mathematics and Probability Theory Fall 2014 Anant Sahai Note 7

Grade 11/12 Math Circles Rational Points on an Elliptic Curves Dr. Carmen Bruni November 11, Lest We Forget

MATH 158 FINAL EXAM 20 DECEMBER 2016

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

Big-Oh notation and P vs NP

Foundations of Network and Computer Security

Introduction to Cryptography. Lecture 6

Introduction to Cybersecurity Cryptography (Part 4)

Discrete Mathematics and Probability Theory Spring 2015 Vazirani Midterm #2 Solution

Transcription:

Cryptography and Security Midterm Exam Solution Serge Vaudenay 25.11.2015 duration: 1h45 no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not allowed the exam invigilators will not answer any technical question during the exam readability and style of writing will be part of the grade The exam grade follows a linear scale in which each question has the same weight. 1 Vernam with Two Dice Our crypto apprentice decided to encrypt messages x Z 12 (instead of bits) using the generalized Vernam cipher in the group Z 12. As he did not fully understand the course, he decided to pick a key k (for each x) by rolling two dice (with 6 faces numbered from 1 to 6) and setting k = k 1 + k 2 to the sum of the two faces up k 1 and k 2. The encryption of x with key k is then y = (x + k) mod 12. Q.1 Why is this encryption scheme insecure? In the generalized Vernam cipher, k must be uniformly distributed in Z 12. Here, k is a number from 2 to 12. It is not a big deal as it is equivalent to use k mod 12, but the distribution of k mod 12 we obtain is far from being uniform in Z 12. For instance, Pr[k mod 12 = 2] = 1 12 and Pr[k mod 12 = 7] = 1 6. Q.2 We still use k = k 1 +k 2. Given a factor n of 12, we now take x Z n and y = (x+k) mod n. Show that for some values n, this provides perfect secrecy but for others, this does not. (Consider all factors n of 12.) We just have to say for which n is k mod n uniformly distributed. Since k = k 1 +k 2, the sum of the values k 1 and k 2 of the two dice, and since k 1 and k 2 are independent and uniformly distributed modulo 6, the scheme is secure when n is a factor of 6: n {1, 2, 3, 6}. For n = 12, we have seen it is not secure. What remains is n = 4. k 1 mod 4 and k 2 mod 4 have distribution Pr[k i mod 4 = i] = 1 6 for i {0, 3} and Pr[k i mod 4 = i] = 1 3 for i {1, 2}. So, Pr[k mod 4 = 0] = 1 4, Pr[k mod 4 = 1] = 2 9, Pr[k mod 4 = 2] = 1 5 4, and Pr[k mod 4 = 3] = 18. So, it is not uniform and the scheme is not secure for n = 4.

Q.3 Finally, the crypto apprentice decides to encrypt a bit x {0, 1} into y = (x + k) mod 4, still with k = k 1 + k 2 from rolling the two 6-face dice. We assume that x is uniformly distributed in {0, 1}. For each c, compute the probabilities Pr[x = 0 y = c] and Pr[x = 1 y = c]. Using the Bayes formula, we have Pr[x = b y = c] = Pr[y = c x = b] Pr[x = b] b Pr[y = c x = b ] Pr[x = b ] Clearly, Pr[y = c x = b ] = Pr[k c b (mod 4)] due to the independence between x and k. Since x is uniformly distributed, we obtain Pr[x = b y = c] = Pr[k c b] Pr[k c b] b Pr[k c = b ] Pr[k {c, c 1}] where values of k are taken modulo 4. Using the distribution that we computed in the previous question, we can fill the following table: c Pr[x = 0 y = c] Pr[x = 1 y = c] 0 9/19 10/19 1 8/17 9/17 2 9/17 8/17 3 10/19 9/19 Q.4 By taking x {0, 1} as a function of c such that Pr[x = x y = c] is maximal, compute the probability P e = Pr[x x] (still when x is uniform in {0, 1}). We have x = 1 for c = 0, x = 1 for c = 1, x = 0 for c = 2, and x = 0 for c = 3. For x = 0, x x when c {0, 1} so ( k mod 4 {0, ( 1}. For x = 1, x x when c {2, 3} so k mod 4 {1, 2}. So, P e = 1 1 2 4 9) + 2 + 1 2 2 9 4) + 1 = 17 36 = 1 2 1 36.

2 Elliptic Curve Factoring Method In this exercise, we want to recover the smallest prime factor p of an integer n. Given an elliptic curve E a,b (p) over Z p, we denote by O the point at infinity. The procedure to add two points P and Q which has been seen in class can be implemented as follows: Add1(E a,b (p), P, Q) 1: if x P x Q (mod p) and y P y Q (mod p) (equivalent to P = Q) then 2: return O 3: end if 4: if x P x Q (mod p) and y P y Q (mod p) (equivalent to P = Q) then 5: set u = (2y P ) 1 mod p 6: set λ = ((3x 2 P + a) u) mod p 7: else 8: set u = (x Q x P ) 1 mod p 9: set λ = ((y Q y P ) u) mod p 10: end if 11: set x R = (λ 2 x P x Q ) mod p 12: set y R = ((x P x R )λ y P ) mod p 13: return R = (x R, y R ) We first consider the following algorithm. (Yes, it uses p but we will later build on it another algorithm ignoring p.) Proc1(p) 1: pick some random parameters a, b Z p, define the elliptic curve E a,b (p) over Z p by y 2 = x 3 + ax + b and pick a random point S on E a,b (p) 2: set i = 1 3: while S O do 4: i i + 1 5: S i.s with the double-and-add algorithm using Add1(E a,b (p), P, Q) 6: end while We let q denote the order of E a,b (p) over Z p. We assume that, due to selecting a and b at random, q is a random number between p 2 p and p + 2 p. Q.1 Show that Proc1 terminates. Due to the Lagrange Theorem, q.s = O for any initial point S. So, if i is large enough, q divides i! and for sure, i!.s = O. Hence, Proc1 terminates. Q.2 Let M(q) be the largest prime factor of q and α j be the largest integer such that j α j divides q. We assume that the probability that q is such that we have α j for all M(q) j prime j is very high, and that the probability that a random point P in E a,b (p) has an order multiple of M(q) is also very high. Show that when these two conditions are met, Proc1 terminates with the value i = M(q). HINT: Show that when the first condition is met, then q divides M(q)!. HINT 2 : This question may be a bit harder than the next ones.

Let q = j α k be the factorization into primes of q, with α jk > 1 and j 1 < j 1 < primes. Due to the assumption, we have α jk M(q). So, q divides M(q) jk. We have M(q)/j integers multiple of j between 1 and M(q) so j M(q) k M(q) divides M(q)! for all k. Since all are different primes, jk divides M(q)! as well. Hence, q divides M(q)!. We deduce that i = M(q) makes the algorithm terminate. As M(q) is prime, (M(q) 1)! is not divisible by M(q) so when the order of P is a multiple of M(q), i = M(q) 1 does not terminate. So, i = M(q) is the smallest i making the algorithm terminate. In what follows, we assume that this implies that the average number of iterations in Proc1 is e (1+o(1)) ln p ln ln p. Q.3 We change Proc1 into Proc2 by making computations modulo n instead of modulo p. When adding two points P and Q, the test P = Q and the test P = Q are still done modulo p. We temporarily assume that we can easily pick an element in the curve at random in the first step of Proc2. Below, we underline what was changed. Add2(E a,b (p, n), P, Q) 1: if x P x Q (mod p) and y P y Q (mod p) then 2: return O 3: end if 4: if x P x Q (mod p) and y P y Q (mod p) then 5: set u = (2y P ) 1 mod n (abort with an error message if non invertible) 6: set λ = ((3x 2 P + a) u) mod n 7: else 8: set u = (x Q x P ) 1 mod n (abort with an error message if non invertible) 9: set λ = ((y Q y P ) u) mod n 10: end if 11: set x R = (λ 2 x P x Q ) mod n 12: set y R = ((x P x R )λ y P ) mod n 13: return R = (x R, y R ) Proc2(p, n) 1: pick some random parameters a, b Z n, define the curve E a,b (p, n) over Z n by y 2 = x 3 + ax + b, and pick a random point S on E a,b (p, n) 2: set i = 1 3: while S O do 4: i i + 1 5: S i.s with the double-and-add algorithm using Add2(E a,b (p, n), P, Q) 6: end while We execute in parallel Proc1 and Proc2 with the same random seed. We let S 1 (resp. S 2 ) designate the value of the register S in Proc1 (resp. Proc2). Show that at every step, x S1 x S2 (mod p) and y S1 y S2 (mod p) until Proc2 aborts with an error or terminates.

For any polynomial function f, f(x) mod n mod p = f(x) mod p. This is also the case when we have divisions, except if we try to divide by something non invertible. So, by induction, the intermediate results are equal modulo p until we have an illegal division. Q.4 Transform Add2 so that any abortion yields a non-trivial factor of n instead of an error. The original algorithm never tries to divide by something non-invertible. So, the new algorithm never tries to divide by a multiple of p. If it tries to divide by some value z which is not invertible modulo n, then gcd(n, z) > 1 and p does not divide z. So, gcd(n, z) is a non-trivial factor of n. Hence, we can run the extended Euclid algorithm (u, d) = eeuclid(n, z) to obtain the d = gcd(n, z) and the inverse u of z modulo n (if d = 1). If d > 1, we can abort and yield d as a non-trivial factor of n. Q.5 Further transform Add2 so that it does not need p any longer. HINT: look at what can go wrong if we do the comparisons modulo n. If two points are equal modulo n, they must be equal modulo p. However, two different points modulo n may become equal modulo p. What can go wrong is when we add two points P and Q such that P Q modulo n but P = Q modulo p. In that case, x Q x P is a multiple of p but not a multiple of n and we are back in the previous case which will yield a non-trivial factor of n. If P Q modulo n but P = Q modulo p, this is the same. Q.6 Observe that the first step of Proc2 cannot be done efficiently. Transform this step to make it doable efficiently and without using p. HINT: pick S first! We cannot try to solve y 2 = x 3 + ax + b modulo n as we do not know how to extract roots modulo n. Instead, we pick S = (x, y) at random in Z n then a Z n at random then set b = y 2 x 3 ax: 1: pick S = (x, y) Z 2 n at random 2: pick a Z n at random 3: set b = y 2 x 3 ax Q.7 Show that the probability that Proc2 terminates with an abortion is very high based on the assumptions from Q.2. Deduce that we can find the smallest prime factor p of n with complexity e (1+o(1)) ln p ln ln p. HINT: we do not expect any probability computation, just identify cases when the algorithm does not abort and heuristicaly justify that this is unlikely to happen.

We have seen that Proc1 terminates with very high probability with a number of iterations equal to M(q). If Proc2 terminates without any illegal division, it means that for each prime factor p of n, the order q of the curve modulo p have all the same M(q ). Since these orders are random and independent, this is highly unlikely to happen. Here is the final algorithm: Add3(E a,b (n), P, Q) 1: if x P x Q (mod n) and y P y Q (mod n) then 2: return O 3: end if 4: if x P x Q (mod n) and y P y Q (mod n) then 5: set (u, d) = eeuclid(n, 2y P ) 6: if d > 1, abort and yield d 7: set λ = ((3x 2 P + a) u) mod n 8: else 9: set (u, d) = eeuclid(n, x Q x P ) 10: if d > 1, abort and yield d 11: set λ = ((y Q y P ) u) mod n 12: end if 13: set x R = (λ 2 x P x Q ) mod n 14: set y R = ((x P x R )λ y P ) mod n 15: return R = (x R, y R ) ECM(n) 1: pick S = (x, y) Z 2 n at random 2: pick a Z n at random 3: set b = y 2 x 3 ax mod n 4: set i = 1 5: while S O do 6: i i + 1 7: S i.s with the double-and-add algorithm using Add3(E a,b (n), P, Q) 8: end while 9: stop (the algorithm failed) Based on the previous questions, this algorithm is most likely to yield p, or at least a non-trivial factor but we can then run it recursively until we find p. Furthermore, its expected number of iterations is e (1+o(1)) ln p ln ln p.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback