Solution to Problem Set 3

Similar documents
Solution to Midterm Examination

ECE596C: Handout #11

CPSC 467b: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Mathematical Foundations of Public-Key Cryptography

CPSC 467b: Cryptography and Computer Security

Homework #2 solutions Due: June 15, 2012

CPSC 467: Cryptography and Computer Security

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

COMP4109 : Applied Cryptography

MATH3302 Cryptography Problem Set 2

Basic elements of number theory

Basic elements of number theory

Some Comments on the Security of RSA. Debdeep Mukhopadhyay

Number Theory. Modular Arithmetic

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

The security of RSA (part 1) The security of RSA (part 1)

AN ALGEBRAIC PROOF OF RSA ENCRYPTION AND DECRYPTION

RSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

CPSC 467b: Cryptography and Computer Security

Mathematics of Cryptography

Exercise Sheet Cryptography 1, 2011

5199/IOC5063 Theory of Cryptology, 2014 Fall

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

CPSC 467: Cryptography and Computer Security

Implementation Tutorial on RSA

Iterated Encryption and Wiener s attack on RSA

All variables a, b, n, etc are integers unless otherwise stated. Each part of a problem is worth 5 points.

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

Introduction to Public-Key Cryptosystems:

Number Theory and Algebra: A Brief Introduction

Congruence Classes. Number Theory Essentials. Modular Arithmetic Systems

CPSC 467b: Cryptography and Computer Security

Basic Algorithms in Number Theory

Module 2 Advanced Symmetric Ciphers

CPSC 467b: Cryptography and Computer Security

Asymmetric Encryption

Numbers. Çetin Kaya Koç Winter / 18

Public Key Cryptography

Solutions to the Midterm Test (March 5, 2011)

Mathematics for Cryptography

CIS 6930/4930 Computer and Network Security. Topic 5.1 Basic Number Theory -- Foundation of Public Key Cryptography

DM49-2. Obligatoriske Opgave

CPSC 467b: Cryptography and Computer Security

Number Theory & Modern Cryptography

Written examination. Tuesday, August 18, 2015, 08:30 a.m.

Introduction to Modern Cryptography. Benny Chor

For your quiz in recitation this week, refer to these exercise generators:

Ma/CS 6a Class 3: The RSA Algorithm

ICS141: Discrete Mathematics for Computer Science I

Outline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael

Encryption: The RSA Public Key Cipher

Congruence of Integers

Hans Delfs & Helmut Knebl: Kryptographie und Informationssicherheit WS 2008/2009. References. References

CPSC 467b: Cryptography and Computer Security

Math 430 Midterm II Review Packet Spring 2018 SOLUTIONS TO PRACTICE PROBLEMS

Discrete mathematics I - Number theory

Lecture 12: Block ciphers

RSA RSA public key cryptosystem

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

MATH 501 Discrete Mathematics. Lecture 6: Number theory. German University Cairo, Department of Media Engineering and Technology.

Public-Key Cryptosystems CHAPTER 4

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

A field F is a set of numbers that includes the two numbers 0 and 1 and satisfies the properties:

Outline. Number Theory and Modular Arithmetic. p-1. Definition: Modular equivalence a b [mod n] (a mod n) = (b mod n) n (a-b)

Discrete Mathematics GCD, LCM, RSA Algorithm

3.2 Solving linear congruences. v3

Mathematical Foundations of Cryptography

Notes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I

Lecture Notes, Week 6

RSA. Ramki Thurimella

Number theory (Chapter 4)

CS1800 Discrete Structures Fall 2016 Profs. Aslam, Gold, Ossowski, Pavlu, & Sprague 27 October, CS1800 Discrete Structures Midterm Version A

CHAPTER 3. Congruences. Congruence: definitions and properties

Some results on the existence of t-all-or-nothing transforms over arbitrary alphabets

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

NET 311D INFORMATION SECURITY

The RSA Cryptosystem: Factoring the public modulus. Debdeep Mukhopadhyay

Elliptic Curve Cryptography

CIS 551 / TCOM 401 Computer and Network Security

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Carmen s Core Concepts (Math 135)

COMS W4995 Introduction to Cryptography September 29, Lecture 8: Number Theory

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

Security II: Cryptography exercises

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Basic Algorithms in Number Theory

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Theory of RSA. Hiroshi Toyoizumi 1. December 8,

A Beginner s Guide To The General Number Field Sieve

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

Number Theory Notes Spring 2011

Classical Cryptography

Number Theory and Group Theoryfor Public-Key Cryptography

Name: Mathematics 1C03

Solution of Exercise Sheet 7

Transcription:

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Handout #11 (rev. 2) Xueyuan Su October 27, 2008 Solution to Problem Set 3 Due on Wednesday, October 22, 2008. In the problems below, textbook refers to Douglas R. Stinson, Cryptography: Theory and Practice, Third Edition, Chapman & Hall/CRC, 2006. Problem 1: Feistel Network Textbook, problem 3.2. In each stage of the Feistel netowrk, it works as follows: L i+1 = R i (1) R i+1 = L i f(r i, K i ) (2) After applying n stages of the Feistel network to the plaintext L 0 and R 0 with the key schedule K 0,, K n 1, we get the ciphertext L n and R n. Now we show that the decryption can be done by applying the same encryption algorithm to L n and R n, with the reversed key schedule K n 1,, K 0. Switching the two sides of (1) and applying ( f(r i, K i )) to both sides of (2), we get R i = L i+1 (3) L i = R i+1 f(r i, K i ) (4) Therefore, after applying the algorithm to L n and R n with key K n 1, we get L n 1 and R n 1. Then applying the algorithm to L n 1 and R n 1 with key K n 2, we get L n 2 and R n 2. Repeating the same procedure for n times with the key schedule K n 1,, K 0, we get L 0 and R 0 at the end. Problem 2: DES Complementation Property Textbook, problem 3.3. y = DES(x, K) and y = DES(c(x), c(k)). The heart of DES is the Feistel network, whose one stage algorithm is described by (1) and (2). For DES(L 0 R 0, K), define L 0 = c(l 0), R 0 = c(r 0 ) and K i = c(k i), which leads to another instance DES(L 0 R 0, K ). We will show that for any stage of the Feistel network, L i = c(l i) and R i = c(r i). Base: the case when i = 1. For instance DES(L 0 R 0, K), L 1 = R 0 (5) R 1 = L 0 f(r 0, K 0 ) (6)

2 Solution to Problem Set 3 For instance DES(L 0 R 0, K ), L 1 = R 0 = c(r 0 ) = c(l 0 ) (7) R 1 = L 0 f(r 0, K 0) = c(l 0 ) f(c(r 0 ), c(k 0 )) (8) Since f(r i, K i ) uses the bitwise operation to combine input bits of R i (after expansion) and K i before the permutation in S-boxes, and operation is associative and commutative, Combining (8) and (9) gives c(r) c(k) = r k (9) R 1 = c(l 0 f(r 0, K 0 )) = c(r 1 ) (10) Induction: Assume the claim holds for all i < n, consider the case when i = n. For instance DES(L 0 R 0, K), For instance DES(L 0 R 0, K ), L n = R n 1 (11) R n = L n 1 f(r n 1, K n 1 ) (12) L n = R n 1 = c(r n 1 ) (13) R n = L n 1 f(r n 1, K n 1) = c(l n 1 ) f(c(r n 1 ), c(k n 1 )) = c(l n 1 f(r n 1, K n 1 )) (14) Therefore, after 16 stages of Feistel network, we can get L 16 = c(l 16) and R 16 = c(r 16). Concatenating L 16 and R 16, we conclude y = L 16R 16 = c(l 16 R 16 ) = c(y) (15) Problem 3: DES S-box S 4 Textbook, problem 3.11(a). [Omit part (b).] Each S-box S i maps an input of six bits to an output of four bits, i.e., S i : {0, 1} 6 {0, 1} 4. S i can be depicted by a 4 16 array whose entries are integers in the range [0, 15]. Given a six-bit input B = b 0 b 1 b 2 b 3 b 4 b 5, we compute S i (B) as follows. The two bits b 0 b 5 determine the binary representation of a row r of S i, where 0 r 3, while the four bits b 1 b 2 b 3 b 4 determine the binary representation of a column c of S i, where 0 c 15. Then we find the entry corresponding to row r and column c of the 4 16 array, and use it binary representation as the four-bit output. For the special property of S 4, we need to check the binary representation of each entry one by one. For example, the first entry of the second row is (13) 10 = (1101) 2, and the first entry of the first row is (7) 10 = (0111) 2. Applying the mapping, we have (0, 1, 1, 1) (1, 0, 1, 1) (0, 1, 1, 0) = (1, 1, 0, 1) (16) We put the results for all the 16 entries in the table below.

Handout #11 (rev. 2) October 27, 2008 3 c first row mapping second row 0 (7) 10 = (0111) 2 (0, 1, 1, 1) (1, 0, 1, 1) (0, 1, 1, 0) = (1, 1, 0, 1) (13) 10 = (1101) 2 1 (13) 10 = (1101) 2 (1, 1, 0, 1) (1, 1, 1, 0) (0, 1, 1, 0) = (1, 0, 0, 0) (8) 10 = (1000) 2 2 (14) 10 = (1110) 2 (1, 1, 1, 0) (1, 1, 0, 1) (0, 1, 1, 0) = (1, 0, 1, 1) (11) 10 = (1011) 2 3 (3) 10 = (0011) 2 (0, 0, 1, 1) (0, 0, 1, 1) (0, 1, 1, 0) = (0, 1, 0, 1) (5) 10 = (0101) 2 4 (0) 10 = (0000) 2 (0, 0, 0, 0) (0, 0, 0, 0) (0, 1, 1, 0) = (0, 1, 1, 0) (6) 10 = (0110) 2 5 (6) 10 = (0110) 2 (0, 1, 1, 0) (1, 0, 0, 1) (0, 1, 1, 0) = (1, 1, 1, 1) (15) 10 = (1111) 2 6 (9) 10 = (1001) 2 (1, 0, 0, 1) (0, 1, 1, 0) (0, 1, 1, 0) = (0, 0, 0, 0) (0) 10 = (0000) 2 7 (10) 10 = (1010) 2 (1, 0, 1, 0) (0, 1, 0, 1) (0, 1, 1, 0) = (0, 0, 1, 1) (3) 10 = (0011) 2 8 (1) 10 = (0001) 2 (0, 0, 0, 1) (0, 0, 1, 0) (0, 1, 1, 0) = (0, 1, 0, 0) (4) 10 = (0100) 2 9 (2) 10 = (0010) 2 (0, 0, 1, 0) (0, 0, 0, 1) (0, 1, 1, 0) = (0, 1, 1, 1) (7) 10 = (0111) 2 10 (8) 10 = (1000) 2 (1, 0, 0, 0) (0, 1, 0, 0) (0, 1, 1, 0) = (0, 0, 1, 0) (2) 10 = (0010) 2 11 (5) 10 = (0101) 2 (0, 1, 0, 1) (1, 0, 1, 0) (0, 1, 1, 0) = (1, 1, 0, 0) (12) 10 = (1100) 2 12 (11) 10 = (1011) 2 (1, 0, 1, 1) (0, 1, 1, 1) (0, 1, 1, 0) = (0, 0, 0, 1) (1) 10 = (0001) 2 13 (12) 10 = (1100) 2 (1, 1, 0, 0) (1, 1, 0, 0) (0, 1, 1, 0) = (1, 0, 1, 0) (10) 10 = (1010) 2 14 (4) 10 = (0100) 2 (0, 1, 0, 0) (1, 0, 0, 0) (0, 1, 1, 0) = (1, 1, 1, 0) (14) 10 = (1110) 2 15 (15) 10 = (1111) 2 (1, 1, 1, 1) (1, 1, 1, 1) (0, 1, 1, 0) = (1, 0, 0, 1) (9) 10 = (1001) 2 Problem 4: Practice with mod Read pages 3 4 of textbook and then work the following: (a) Textbook, problem 1.1. (b) Textbook, problem 1.2. (c) Textbook, problem 1.3. (d) Textbook, problem 1.4. Problem 1.1 (a) By the division theorem, 7503 = 92 81 + 51, so 7503 mod 81 = 51. (b) By the division theorem, 7503 = 93 81 + 30, so ( 7503) mod 81 = 30. (c) By the division theorem, 81 = 0 7503 + 81, so 81 mod 7503 = 81. (d) By the division theorem, 81 = 1 7503 + 7422, so ( 81) mod 7503 = 7422 Problem 1.2 By the division theorem, a = m a + (a mod m). Therefore, we have ( a) mod m = ( ) a m (a mod m) = ( (a mod m)) mod m mod m = (m (a mod m)) mod m (17)

4 Solution to Problem Set 3 Because a 0 (mod m), it is easy to see that 0 < a mod m < m, which implies 0 < m (a mod m) < m. Therefore, we have (m (a mod m)) mod m = m (a mod m) (18) Combining (17) and (18), we reach the conclusion that Problem 1.3 ( a) mod m = m (a mod m) (19) By definition, a b (mod m) m (a b). By the division theorem, a a = m + (a mod m) (20) b b = m + (b mod m) (21). Subtracting (21) from (20) gives ( a (a b) = m + (a mod m) ) ( ) b m + (b mod m) (22) Together with the fact that m (mu + v) iff m v, we have m (a b) m (a mod m b mod m) (23) Because (i mod m) Z m, m (a mod m b mod m) iff a mod m = b mod m. In sum, we have shown a b (mod m) a mod m = b mod m (24) Problem 1.4 By the division theorem, a = km + b, where 0 b < m. It is obvious b = a mod m. Dividing both sides of the first equation by m, we have a m = k + b m. 0 b < m implies that 0 b m < 1, and thus k is the largest integer that is less than or equal to a m, which is precisely the definition of a. Therefore, a mod m = b Problem 5: Extended Euclidean Algorithm Textbook, problem 5.3. Show your work. a) 17 1 mod 101 = 6 1 101 1 0 2 17 0 1 5 3 16 1-5 1 4 1-1 6 16 = a km a = a m (25)

Handout #11 (rev. 2) October 27, 2008 5 b) 357 1 mod 1234 = 1234 159 = 1075 c) 3125 1 mod 9987 = 1844 1 1234 1 0 2 357 0 1 3 3 163 1-3 2 4 31-2 7 5 5 8 11-38 3 6 7-35 121 1 7 1 46-159 1 9987 1 0 2 3125 0 1 3 3 612 1-3 5 4 65-5 16 9 5 27 46-147 2 6 11-97 310 2 7 5 240-767 2 8 1-577 1844 Problem 6: Linear Diophantine Equations Textbook, problem 5.4. Show your work. gcd(57, 93) = 3 s = 13, t = 8 a b 93 57 57 36 36 21 21 15 15 6 6 3 3 0 1 19 1 0 2 31 0 1 0 3 19 1 0 1 4 12 1 0 1 5 7 2-1 1 6 5-3 2 1 7 2 5-3 2 8 1-13 8

6 Solution to Problem Set 3 Problem 7: RSA Encryption [This is problem 6.8.2 from Trapp & Washington, Introduction to Cryptography with Coding Theory, Second Edition, Pearson Prentice Hall, 2006.] Suppose your RSA modulus is n = 55 = 5 11 and your encryption exponent is e = 3. (a) Find the decryption modulus d. (b) Assume that gcd(m, 55) = 1. Show that if c m 3 (mod 55) is the ciphertext, then the plaintext is m c d (mod 55). Do not quote the fact that RSA decryption works. That is what you are showing in this specific case. (a) Since n = 55 = 5 11, we have φ(n) = (5 1) (11 1) = 40. Now we apply the Extended Euclidean algorithm to find d given that e = 3. Therefore, we have d = 40 13 = 27. 1 40 1 0 2 3 0 1 13 3 1 1-13 (b) The question asks us to prove m c 27 (mod 55), given c m 3 (mod 55) and gcd(m, 55) = 1. Starting from the first condition, we have c m 3 (mod 55) c 27 (m 3 ) 27 (m 40 ) 2 m (mod 55) (26) Euler s theorem says, if gcd(x, n) = 1, then x φ(n) 1 (mod n) (27) Since φ(55) = 40 and gcd(m, 55) = 1, combining (26) and (27) gives Because congruence is commutative, (28) implies c 27 (m 40 ) 2 m m (mod 55) (28) m c 27 (mod 55) (29)

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback